I edited the transforms from Splunk Web and now I have content in the local directory. How do I merge this with the default content?
You can merge content from the local directory by copying the stanzas from the file in local directory into the corresponding file in the default directory.
For example say you want to merge the following:
The local transforms file (
[bluecoat] SHOULD_LINEMERGE = false [product_static_Proxy] REGEX = (.) FORMAT = product::"Proxy"
The default transforms file (
[bluecoat] REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat
The combined transforms file (in
default/transforms.conf) would look like this:
[bluecoat] SHOULD_LINEMERGE = false REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat [product_static_Proxy] REGEX = (.) FORMAT = product::"Proxy"
Once you have migrated all the stanzas, make sure to delete the files in the local directory.
My source data is mostly tab-delimited, but the first three fields are space-delimited... these fields contain the date and time, the log host, and the log type. What should I do?
Put these fields into one field called
log_header and ignore it. The fields are not necessary for the technology add-on to function.
Splunk fails to extract values spanning multiple lines
Splunk fails to automatically extract values when those values span multiple lines. The fields are extracted with the correct name but the value is left empty if the original value includes multiple lines.
To work around this issue, create a transform that extracts the entire field. Below is a transform that extracts the multi-line field "message" for the source type "acme_firewall":
[message_for_acme_firewall] REGEX = ,\s+message=\"(.*?)(\",\s+\S+\=) FORMAT = message::"$1"
Then, enable the transform in
default/props.conf in the technology add-on folder:
[acme_firewall] REPORT-0 message_for_acme_firewall = message_for_acme_firewall
Example 2: OSSEC
Dashboard Requirements Matrix
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1