I'm attempting to do an index time field extraction
Here is my prop.conf
[source::/tmp/fake-tacplus]
TRANSFORMS-host_ip = tacacs_host_ip_username_extraction
TRANSFORMS-username = tacacs_host_ip_username_extraction
Here is my transforms.conf
[tacacs_host_ip_username_extraction]
REGEX = ^(?:[^\n]*){3}(?P[^]+)\s+(?P\w+)
FORMAT = host_ip::$1 username::$2
WRITE_META = true
DEST_KEY = _meta
Here is my fields.conf
# cat fields.conf
[username]
INDEXED = True
INDEXED_VALUE = False
[host_ip]
INDEXED = True
INDEXED_VALUE = False
After putting these in the splunk/etc/apps/search/local I still am not seeing extractions of "host_ip", "username"
The log i need parsed at index time is..
Jan 21 14:42:20 10.0.0.0 user ssh 10.0.0.0 stop task_id=460864 service=shell priv-lvl=15 start_time=1453408940 timezone=UTC cmd=exit <cr>
I need "10.0.0.0" to be username and "user" to be username.
Here is my other field extractions that are already extracted.
index = tacacs
source = /tmp/fake-tacplus
sourcetype = acct
I guess my question is the path to where these .conf files are stored right? is my regex right? and are the files correctly formatted?
Thanks in advance
↧