I am getting some strange behaviors for some of the sourcetype transforms. 70% of the events are still showing sourcetype=pfsense. The only 2 that get transformed correctly is pfsense:filterlog, pfsense:dhcpclient.
Also, there seems to be a truncation that occurs that strips out what log the event came from. For example, for all unbound events, here is what happens:
**Sent from PFSense as:**
Oct 17 19:23:09 unbound: [36942:1] info: validator operate: query semanticlocation-pa.googleapis.com. A IN
**Indexed into splunk as (sourcetype if pfsense, not pfsense:unbound):**
[36942:1] info: validator operate: query semanticlocation-pa.googleapis.com. A IN
So none of the fields for these are extracted for any sourcetype=pfsense, while sourcetype=filterlog or dhcpclient have all fields extracted properly.
I tested the sourcetyper regex from the transforms.prop on the above raw event and it pulls the correct sourectype "unbound". Does this for nginx and openvpn also.
I verified all files are there including the lookups which must be manually installed now.
PFSense 2.4.4-RELEASE-p3
Splunk Enterprise 7.3.2
↧