override host assignment

Posted on 2017-04-212017-04-24 by mfischer

if logfile looks like
—snip—
Apr 20 13:51:43 ROU-XXX-YYY-1-gi02 1737909: Apr 20 13:51:42.985: %SEC-6-IPACCESSLOGP: list von_WHAT_EVER denied tcp 1.1.1.32(63881) -> 2.2.2.19(443), 1 packet
—snip—

transforms.conf:
[NameOfClass]
REGEX = ^[A-Za-z]{3}\s\d+\s\d+:\d+:\d+\s([^\s]+)\s
FORMAT = host::$1
DEST_KEY = MetaData:Host

props.conf:
[TypeOfSourcetype]
TRANSFORMS-WhatYouWant = NameOfClass

props.conf – baseline settings

Posted on 2015-05-19 by mfischer

always set these six parameters:

# CUSTOM [my_custom_source_or_sourcetype] TIME_PREFIX = \d{4}/\d{2} /\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y MAX_TIMESTAMP_LOOKAHEAD = 20 SHOULD_LINEMERGE = False LINE_BREAKER = ([\n\r]+)\d{4}/\d{2}/\d{2}\s\d{2}:\d{2}:\d{2} TRUNCATE = 50000

add forwarder to deployment

Posted on 2015-02-112015-02-11 by mfischer

after installation of a new forwarder, only configure the address of the deployment server:

/opt/splunkforwarder/bin/splunk set deploy-poll server03:8089

forwarder-info, inputs etc will be deployed via the server.