Quantcast
Channel: Questions in topic: "props.conf"
Viewing all articles
Browse latest Browse all 1485

How could I configure the segmenters .conf ?

February 8, 2016, 6:23 am
$
0
0
I have created a TA to analyse the FireEye LEEF logs format. This format uses `^` (HEX %5E) as field separator. example.log Jun 17 09:07:58 fecms fenotify-1189.alert: LEEF:1.0|FireEye|CMS|7.5.2.350291|malware-callback|dvchost=TESTFEEX^sev=7^vlan=0^dstPort=80^cncPort=80^proto=tcp^srcPort=4227^ In order to index every values I tried to modify the sementers.conf [fireeye_full] MAJOR = [ ] <> ( ) { } | ! ; , ' " * \n \r \s \t & ? + ^ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29 MINOR = / : = @ . - $ # % \\ _ [fireeye_indexing] MAJOR = [ ] <> ( ) { } | ! ; , ' " * \n \r \s \t & ? + ^ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29 MINOR = / : = @ . - $ # % \\ _ INTERMEDIATE_MAJORS = false [fireeye_standard] MAJOR = [ ] <> ( ) { } | ! ; , ' " * \n \r \s \t / : = @ . ? - & $ # + % _ \\ ^ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 MINOR = [fireeye_inner] MAJOR = [ ] <> ( ) { } | ! ; , ' " * \n \r \s \t / : = @ . ? - & $ # + % _ \\ ^ %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 MINOR = [fireeye_outer] MAJOR = [ ] <> ( ) { } | ! ; , ' " * \n \r \s \t & ? + %5E %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 MINOR = [fireeye_none] MAJOR = MINOR = MAJOR_COUNT = 0 LOOKAHEAD = 0 MINOR_COUNT = 0 The configuration in the props.conf is [fireeye] pulldown_type = true category = Network & Security description = Data from FireEye SHOULD_LINEMERGE = false LINE_BREAKER = ((?:\r\n|\n)+) ANNOTATE_PUNCT = false SEGMENTATION = fireeye_indexing SEGMENTATION-all = fireeye_full SEGMENTATION-inner = fireeye_inner SEGMENTATION-outer = fireeye_outer SEGMENTATION-raw = fireeye_none SEGMENTATION-standard = fireeye_standard KV_MODE = auto But nothing to do, the indexation time doesn't separate the difference key=value pairs despite the KV_MODE = auto. The indexed value for the log example above is: key: dvchost value: TESTFEEX^sev=7^vlan=0^dstPort=80^cncPort=80^proto=tcp^srcPort=4227^ Does someone know how to make splunk recognize the "^" character as major word segmenter and make the KV_MODE=auto work for this log format? Thanks in advance
Search
Viewing all articles
Browse latest Browse all 1485

Trending Articles

RAMAYAMPET Mandal Sarpanch | Upa-Sarpanch | Ward member Mobile Numbers Medak...

May 24, 2017, 2:00 am

लड़कियां सेक्स के दौरान क्यों करती है उह! आह!लड़कियां सेक्स के दौरान क्यों करती...

May 19, 2016, 1:54 am

Neem Baba Extra Questions Answer Class 6 English Poorvi

February 1, 2025, 5:19 am

Throw Back: 4×4 — Sikilitele (Ft Castro) Prod by JQ

March 5, 2015, 8:24 am

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Lowe faces four theft charges

November 14, 2017, 6:52 pm

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Mafia, Murder & Mayhem In The Motor City: Detroit Mob Hit Timeline (1937-2007)

December 7, 2016, 3:57 pm

The 10 Tennessee Cities With The Largest Black Population For 2021

December 21, 2020, 10:12 am

Materials Around Us Class 6 Worksheet Science Chapter 6

October 3, 2024, 5:20 am

デスクトップ ヒープの枯渇

January 18, 2018, 8:31 pm

Best Suvichar in Hindi |बेस्ट सुविचार |शुभ विचार हिंदी में

March 7, 2020, 11:19 pm

Kanulanu Thaake Lyrics and translation | Manam (2014)

May 9, 2014, 5:45 am

Korean Sex Porn Videos: XXX Videos & Free Porn Movies

May 30, 2025, 9:29 pm

Teen Shot In Miami Drive-By Dies From Injuries

August 8, 2011, 1:16 pm

Download: IQ Muzatasha feat Shy D & Pmj – Ulesi NiFertilizer Yamavuto

March 22, 2018, 7:23 pm

Mahakal Attitude Status

February 29, 2020, 9:52 am

Property developer set up cannabis factory to help pay off debts...

August 3, 2015, 2:29 am

July 11, 2015, 6:15 am

KB: How to troubleshoot issues when adding a Hyper-V host in System Center...

August 14, 2012, 10:05 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>