Hallo,
i want to know, if this Add-on works with other sourcetypes than syslog. I have change the base-sourcetype from syslog to syslog_linux, so I can use in the transforms.conf this as stanza and can address.
####################################################################
# Input-App for the Forwarders
####################################################################
input.conf
[monitor:///var/log/splunk.messages]
disabled = false
index = infrastrukturlog_linux
sourcetype = syslog_linux
_TCP_ROUTING = wwiForwarderProd
#*************************************************************
#* Original syslog-props.conf
#*************************************************************
[syslog_linux]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
category = Operating System
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF.
####################################################################
# Filter-App for the Heavy-Forwarder
####################################################################
props.conf
[syslog_linux]
TRANSFORMS-null = null_queue_filter_syslog,null_queue_filter_syslog1
transforms.conf
[null_queue_filter_syslog]
REGEX = (?m)caa:
DEST_KEY = queue
FORMAT = nullQueue
[null_queue_filter_syslog1]
REGEX = ^(?=.*\bifconfig\b)(?=.*\buser:info\b).*$
DEST_KEY = queue
FORMAT = nullQueue
I actually get no data from the Add-on .
Any Ideas ?
Gerd
↧