Splunk receive a log like this:
Nov 15 13:02:10 172.20.20.3 test WARNING 1 "Invalid path" 178.217.60.3 0 10.18.7.98 2040 5 "bla bla bla" sampled 1 0 N/A low drop FFFFFFFF-FFFF-FFFF-000E-000059C98546
And vendor said that each field is separated by a single space character. Fields that may contain spaces are printed between double quotes. So for each field i use configuration like this:
props.conf:
[test_source]
REPORT-device_ip=device_ip
REPORT-attack_name=attack_name
transforms.conf
[device_ip]
REGEX = (".*?"|\S+)
FORMAT = device_ip::$4
MV_ADD = true
[attack_name]
REGEX = (".*?"|\S+)
FORMAT = attack_name::$8
MV_ADD = true
I've already test regexp with https://regex101.com/ and it should just split fields in accordance to vendors documentation, but it doesn't work.
all files I put in /opt/splunk/etc/system/local/
↧
