Greetings,
I have a few PVS's coming through syslog via TCP. I have set index=pvs, sourcetype=pvs:internal (for these, there will be "externals" coming down the pipe in a few weeks) and the host=.
I have attempted to comment out the syslog stanza of the props.conf and collapsed the extract into the local/props.conf stanza automagically created when I set the sourcetype on the heavy forwarder to [pvs:internal]. So I now have this in my /opt/splunk/etc/apps/pvs/local/props.conf:
[pvs:internal]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
TRANSFORMS-changesourcetype = set_sourcetype_pvs
EXTRACT-PVS,src,src_port,dest,dest_port,protocol,PVS_pluginid,PVS_eventname,PVS_data,PVS_data2,PVS_risk = (?Ppvs): (?P[^:]+):(?P\d{1,5})\|(?P[^:]+):(?P\d{1,5})\|(?P\d{1,3})\|(?P\d{1,5})\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)?\|(?P[^\|]+)
When I went through the regex of the extract into https://regex101.com/ it seems to grab every other event (which may be a different issue), but I wanted to verify the regex.
Anyway, I am not getting any extractions which is my real issue. Can anyone offer suggestions?
Thanks,
Dave
↧