Hi,
I am having an issue when we are trying to extracts fields at the Heavy Forwarder level. We are in a shared Cloud Environment but some Heavy Forwarders are local, so we want these HFs do the field extraction, however it doesn't seem to work.
I created a transforms.conf and props.conf and when I tested it on my local Splunk instance without a Heavy Forwarder it does work:
Props.conf:
## Custom Extractions Meraki ##
TRANSFORMS-Logtype=Logtype
TRANSFORMS-pattern=pattern
TRANSFORMS-security_event_dtl=security_event_dtl
TRANSFORMS-message=message
TRANSFORMS-request=request
TRANSFORMS-src=src
TRANSFORMS-user=user
## Change user field ##
EVAL-user = replace(user, "\\\,\\\20", ",")
Transforms.conf
## Extract custom Meraki fields ##
[Logtype]
SOURCE_KEY = source
REGEX = \\meraki\\(?\w+)
[pattern]
SOURCE_KEY = _raw
REGEX = pattern:(?.*)
[security_event_dtl]
SOURCE_KEY = _raw
REGEX = security_event\s(?\w+)\s\w+
[message]
SOURCE_KEY = _raw
REGEX = message:(?.*)
[request]
SOURCE_KEY = _raw
REGEX = request:\s\w+(?.*)
[src]
SOURCE_KEY = _raw
REGEX = client_ip='(?.*)
[user]
SOURCE_KEY = _raw
REGEX = CN=(?.*?),OU
From my understanding it should be possible to make these fields extractions at the Heavy Forwarder level , correct?
I appreciate your help,
Oliver
↧