创建索引字段

quguilai

浏览: 87288 次
性别:
来自: 北京

最近访客更多访客>>

happinesss

IT_fang

mr_vittor

2326653787

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

splunk

package splunktest;

import java.io.BufferedWriter;

import java.io.OutputStream;

import java.io.OutputStreamWriter;

import java.net.Socket;

public class InputTest {

public static void main(String[] args) throws Throwable {

Socket socket = new Socket("localhost", 60001);

// 向服务端程序发送数据

OutputStream ops = socket.getOutputStream();

OutputStreamWriter opsw = new OutputStreamWriter(ops);

BufferedWriter bw = new BufferedWriter(opsw);

bw.write("2008-10-30 14:15:21 mightyhost awesomeftpd INFO Attempt to login by user: root: login FAILED.\r\n\r\n");

bw.flush();

ops.close();

opsw.close();

bw.close();

socket.close();

}

放在system/default下

[tcp://60001]

connection_host = dns

sourcetype = ftpd-log

index = main

Define two new indexed fields with one regex

This example creates two indexed fields called username and login_result.

transforms.conf

In transforms.conf add:

[ftpd-login]
REGEX = Attempt to login by user: (.*): login (.*)\.
FORMAT = username::"$1" login_result::"$2"
WRITE_META = true

This stanza finds the literal text Attempt to login by user:, extracts a username followed by a colon, and then the result, which is followed by a period. A line might look like:

2008-10-30 14:15:21 mightyhost awesomeftpd INFO Attempt to login by user: root: login FAILED.

props.conf

Add the following lines to props.conf:

[ftpd-log]
TRANSFORMS-login = ftpd-login

fields.conf

Add the following lines to fields.conf:

[username]
INDEXED=true

[login_result]
INDEXED=true

Restart Splunk for your configuration file changes to take effect.

分享到：

单机版splunk创建索引和重写source,sourcet ... | proxy

2017-09-02 22:24
浏览 346
评论(0)
分类:行业应用
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论