Im having an issue myself. But i dont know if its different in the new Ruckus controller version or output .
2017-11-02T15:10:17-07:00 SCG01 Core: User[AA:FD:BB:28:91:AA] disconnects from WLAN[wifi] at AP[dW-con-007@AA:BB:C4:29:F1:10] with session data(Client Mac[CC:FD:CC:28:AA:2B],Client IP[],OS Type[],Host Name[],BSSID[1C:B9:C4:CC:F1:FF],User Name[DD:AA:17:FF:91:2B],VLAN[80],Encryption[None],Association Time[11 02 22:09:46 2017],Disconnect Reason[client Disconnect],Session Duration[30s],Bytes to User[0],Bytes from User [374],RSSI[10],SNR[-102],Client Radio[g/n],AP Location[],AP GPS[])
inputs.conf
[monitor:///opt/syslog/ruckus/*.log]
index = ruckus
sourcetype = ruckus:log
host_segment = 4
disabled = false
props.conf
[ruckus:log]
category = Network
description = Output produced by the Ruckus Wireless Controller
pulldown_type = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 16
TRANSFORMS-sourcetype = ruckus_core,ruckus_core_disconnect,ruckus_core_reconnect, ruckus_core_join, ruckus_core_authorize, ruckus_sshd, ruckus_kernel
[ruckus_core]
rename = ruckus:core
[ruckus:core]
KV_MODE = None
BREAK_ONLY_BEFORE=\w{3}\s{1,2}\d{1,2}\s
SHOULD_LINEMERGE = false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
transforms.conf
[ruckus_core]
DEST_KEY = MetaData:Sourcetype
REGEX = ^\w{3}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[0-9]{1,3}.){3}[0-9]{1,3}\sCore:
FORMAT = sourcetype::ruckus:core
... View more