Trying to configure TA-cisco_ios app.
I cannot get the syslog sourcetype to transform to cisco:ios sourcetype.
I have a lot of syslog data streaming to the syslog sourcetype
The regex below works fine in a search query
Files were deployed to the indexers.
props.conf
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr
...
Transforms.conf
[force_sourcetype_for_cisco_ios]
DEST_KEY = MetaData:Sourcetype
REGEX = (?<\reported_hostname>\S+)(\s(? \d+)?:\s(?:.\S+:\s)?(?<\reliable_time>[.*])?(? .+)?)?:\s%(? (?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-(?<\subfacility>[A-Z12_](-?[A-Z_]))-?(?<\severity_id>[0-7])-(?<\mnemonic>[A-Z0-9_]+):\s(?<\message_text>.+)
FORMAT = sourcetype::cisco:ios
[force_sourcetype_for_cisco_ios-xr]
DEST_KEY = MetaData:Sourcetype
REGEX = (?<\reported_hostname>\S+)\s(?<\event_id>\d+):\s(?<\node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+)):(?<\device_time>.+)\s:\s(?<\process_name>[A-Za-z0-9_]+)[(? \d+)]:\s%(?<\category>[A-Z0-9_]+)-(?<\facility>[A-Z0-9_]+)-(?<\subfacility>[A-Z12_](-?[A-Z_]))-?(?<\severity_id>[0-7])-(?<\mnemonic>[A-Z0-9_]+)\s:\s(?<\message_text>.+)
FORMAT = sourcetype::cisco:ios
...
Any pointers / advise would be great!!!
The regex above may have not copy/paste correctly
... View more