I have WLC and Equallogic sending logs on port udp 514.
Currently, only cisco sourcetype is configured and hence all data is getting parsed as cisco:ios sourcetype. I want to parse data sent by 6 Equallogic hosts to customised "equal_log" sourcetype.
I followed this documentation, http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides
and created the following transforms.conf and props.conf in $SPLUNK_HOME/etc/system/local/,
[set_sourcetype_syslog_for_Equallogic_hosts]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(host1|host2|host3|host4|host5|host6)[\w\.\-]*\]?\s
FORMAT = sourcetype::equal_log
DEST_KEY = MetaData:Sourcetype
[source::udp:514]
TRANSFORMS-changesourcetype = set_sourcetype_equal_log_for_Equallogic_hosts
Please note, above regex is to extract the host field for syslog events . I am using the same regex because data coming from Equallogic is syslog which is getting parsed into cisco:ios sourcetype.
Should I be using regex to extract host field for cisco:ios events ?
Also, should I make the above props+transforms changes in Cisco app's props+transforms.conf file as well ?
↧