Documentation > Splunk > Admin Manual > Configure meta events

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Configure meta events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Configure meta events

You can configure meta events via tranforms.conf and props.conf.


Configuration

transforms.conf


Edit $SPLUNK_HOME/etc/bundles/local/transforms.conf: 


[$UNIQUE_STANZA_NAME]
DEST_KEY = cluster
REGEX = $YOUR_CUSTOM_REGEX
FORMAT = $YOUR_FIELD_NAME::$1

Fill in the stanza name and the regex fields with the correct values for your data.


Please note: You will need to name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/bundles/default/transforms.conf).


props.conf


Next, add a stanza to $SPLUNK_HOME/etc/bundles/local/props.conf: 


[<spec>]
TRANSFORMS-$NAME = $UNIQUE_STANZA_NAME

<spec> can be:

  1. <sourcetype>, the sourcetype of an event
  2. host::<host>, where <host> is the host for an event
  3. source::<source>, where <source> is the source for an event

$NAME is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

metaevents.conf


You can optionally add a stanza to {($SPLUNK_HOME/etc/bundles/local/metaevents.conf}} to set a preamble message for each metaevent.


Map the prefix of the cluster key ($YOUR_FIELD_NAME) from transforms.conf to your preamble: 


[$YOUR_FIELD_NAME]
PREAMBLE = $whatever text string you want to append to the beginning of your metaevents stream.

Examples

Cluster web activity by ip address

The example below looks for IP addresses and creates a meta event for each IP address. The meta event contains all events that include that IP address.


First, in $SPLUNK_HOME/etc/bundles/local/transforms.conf 


[access-ip]
DEST_KEY = cluster
REGEX = (\d+\.\d+\.\d+\d+)
FORMAT = ip::$1

Next, in $SPLUNK_HOME/etc/bundles/local/props.conf: 


[access_common]
TRANSFORMS-cluster = access-ip

Correlate sendmail and MS-Exchange events

In the example below, events are being generated by a Sendmail server and then forwarded to an MS Exchange server. The Exchange events all have the message ID in common, while the sendmail events have the QID in common. The only thing that joins the meta event together is a single event in the sendmail log that has both the message ID and QID in it.


In $SPLUNK_HOME/etc/bundles/local/transforms.conf, add: 


#From the exchange events we are going to extract the message ID which has the form: 200703261746.c2YLgB00001000@shemika.paulette.com
[exchange_msgID]
DEST_KEY = cluster
REGEX = (\w+\.\w+@[^ ]+\.com)
FORMAT = messageID::$1
#From the sendmail log we are going to extract the QID which has the form: c2YLgB00001000 as well as the message ID
[sendmail_QID_msgID]
DEST_KEY = cluster
REGEX = sendmail\[\d+\]:\s+(\w+):.*\<(\w+\.\w+@[^ ]+\.com)\>
FORMAT = qid::$1 messageID::$2

Add the following stanza in $SPLUNK_HOME/etc/bundles/local/props.conf: 


#Call the regexes from transforms.conf 
[sendmail_syslog]
TRANSFORMS-cluster = sendmail_QID_msgID
[exchange_custom]
TRANSFORMS-cluster = exchange_msgID

Sample MS Exchange event:


1006-3-23 17:46:25 GMT 129.24.20.020 shemika.paulette.com OLCP05.pr.paulette.com GDQEXMPX00 022.00.15.002 maritza@paulette.com 1000 200703261746.c2YLgB00001000@shemika.paulette.com 0 0 0060 5 1006-3-23 17:46:24 GMT 0 Version: 6.0.3440.0520 - Material Request - DON Group Org 000 : PMKOyige : 1 : Kai Frank Barb.Workflow@paulette.com -

Sample Sendmail events:


Mar 26 10:46:24 shemika sendmail[13005]: c2YLgB00001000: from=<Barb.Workflow@paulette.com>, size=454, class=0, nrcpts=1, msgid=<200703261746.c2YLgB00001000@shemika.paulette.com>, proto=SMTP, daemon=MTA, relay=oxgzl21.paulette.com [022.00.00.22]

Mar 26 10:46:24 shemika sendmail[13005]: c2YLgB00001000: list: /mailing-lists/barb.workflow

Mar 26 10:46:24 shemika sendmail[13005]: c2YLgB00001000: to=splunk@paulette,donte@paulette, delay=00:00:02, xdelay=00:00:00, mailer=daren, pri=130050, relay=gdqexmpx00.paulette.com. [022.00.15.002], dsn=2.0.0, stat=Sent ( <200703261746.c2YLgB00001000@shemika.paulette.com> Queued mail for delivery)

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/ConfigureMetaEvents"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!