I had the same problem. The Tiny FTP App works great, but it needs some tweaking in order to run properly.
To answer your question, here are the steps needed to get Tiny FTP up and running in Splunk:
Download and install Tiny FTP App in Splunk.
Open this file in Notepad (make sure you open up Notepad with admin rights first, or you won't be able to edit the file): C:\Program Files\Splunk\etc\system\local\props.conf
Paste in the sourcetype definition, which should be:
[FileZilla_FTP]
EXTRACT-ftp_pMsg = (?i)^[^>]>\s+\w+\s+(?P .+)
EXTRACT-ftp_msg = (?i)^(?:[^.] .){3}\d+)(?P .+)
EXTRACT-ftp_src_ip = (?i) .? ((?P \d+.\d+.\d+.\d+)(?=))
EXTRACT-ftp_usr = (?i)^[^-] -\s+(?P .+?)\s+(
EXTRACT-ftp_command = (?i)^(?:[^)])){2}>\s+(?P [a-z][a-z][a-z]+)
EXTRACT-ftp_code = (?i)^[^>] >\s+(?P [\d\d\d]+)
LOOKUP- = geoip_lcl lip OUTPUT Latitude,Longitude
pulldown_type = 1
Save and close the file in Notepad.
Do the same thing to the props.conf file located in: C:\Program Files\Splunk\etc\apps\tFTP\default\
Restart your Splunk installation by going to Settings>Server Controls>Restart Splunk.
You should now be able to select your source data file, select the FileZilla_FTP sourcetype, and have the data load properly.
You'll notice that I added an entry to show up in the pulldown, as well as made a change to the sourcetype definition on the third line; namely I had to edit the Regex, as there was one error that was preventing the FileZilla log format from being parsed correctly. Basically you change this line:
EXTRACT-ftp_msg = (?i)^(?:[^.].){5}\d+)(?P .+)
To this:
EXTRACT-ftp_msg = (?i)^(?:[^.] .){3}\d+)(?P .+)
Essentially that is the part of the Regex expression that is looking for periods in the IP address, and was incorrectly set to 5. As IPv4 addresses only have 3 periods, this expression would never return anything in the query, causing problems. Switch the 5 to a 3 and you'll be golden.
Hope this helps! Cheers.
... View more