Greetings,
New to Splunk. Running on an Ubuntu box, current 64ibit release, with current Splunk release.
Attempted to run with a Netgear FVS-318v3, using "netgear" sourcetype. It fails to identify events - no decodes, no events counted, and no panels populated. Sample log entry:
Wed, 2016-02-03 22:11:43 - TCP packet - Source: xxx.xx.x.x - Destination: xx.xx.xx.xxx - [Attempt to access URl: www.google.com
Src 50670 Dst 80 from LAN]
Switched to WRT54g running dd-wrt, using "dd-wrt" sourcetype, and Home Monitor detected nothing going on. Identified the "br0" vs "eth0" issue described elsewhere, and corrected with an entry into local props.conf. It properly counts events ("in" only, at the moment), but no decodes, and no panels populated.
I have yet to see the app decode an event and put up a source or destination IP address, and I'm only working with simple connection events at the moment. Tests run with HM 4.3.0 and HM 4.4.0. It refuses to decode logs, and I've run out of firewalls to try.
Where does one find the map of fields that HM wants populated? I'm looking for the field definitions that HM wants filled as input, when it's parsing syslog event lines. If I want to create my own sourcetype (or correct one of the ones already bundled in HM), where do I find that information? It doesn't appear to be in props or transforms or any other conf file (yet) I've looked in.
Through some RegEx hacking, I figured out a proper expression for the FVS-318's timestamp format %a, %Y-%m-%d %H:%M:%S , but I don't know where to find the field definitions, so that I can tell HM to use it.
Is there a trace ability in Splunk, where I can watch events get parsed against the criteria?
Thanks for whatever help you may offer.
... View more