I'm working on getting VMware logs into Splunk and ran into a problem with the hyphen in the vmw-syslog sourcetype in Splunk_TA_esxilogs. When I remove the hyphen or just use syslog as the sourcetype it works fine. I'm not a regex expert, so I'm assuming the regex in transforms.conf for [set_syslog_sourcetype] isn't quite right or maybe [set_syslog_sourcetype_sections], but I'm not sure how to adjust it.
↧