product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to set fields for data output in different formats
- release date
- 2015.06.22
- last updated
- 2015.06.22
- version
- Splunk Enterprise 6.1.4
- Overview
- Set field extraction corresponding to each format for data output in different formats with the same sourcetype name
- Reference information
-
- http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Create_advanced_search-time_field_extractions_with_field_transforms
- http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/Propsconf
- http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/Transformsconf
- content
-
If two different formats exist in the same file, it is possible to extract fields according to each format by setting transforms.conf.
reference image
Data example and setting method
Data format: As shown below, both A and B format events exist in the same source.
A: Date and time A item B item C item D item E item
B: Date and time A item D item E itemLet's say we want to capture this data as source type: sample.
Setup steps
* Edit the configuration file under $SPLUNK_HOME/etc/<any app>/local.
- Set regular expressions in transforms.conf so that fields can be extracted in both cases A and B.
For A, the field is extracted in the following typeA format according to the format, and for B as well, the field is extracted in the following typeB format according to the format.
Setting Example:
[typeA]
REGEX = ^[^\s]+\s[^\s]+\s(?[^\s]*)\s(? [^\s]*)\s(? [^\s]*)
\s(?[^\s]*)\s(? [^\s]*)$ [typeB]
REGEX = ^[^\s]+\s[^\s]+\s(?[^\s]*)\s(? [^\s]*)\s(? [^\s]*)$ - Set two REPORTs for one source type in props.conf.
Setting Example:
[sample]
REPORT-sample = typeA,typeB* The stanza name such as sourcetype is written in []. Let REPORT-<unique class name> = <stanza name set in transforms.conf>.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30