How to convert a splunk transform into logstash

(Rolf Berkenbosch) #1

Hi all,

I have the following in the transform.conf of splunk:

REGEX = ([a-z]+)=([a-z]+)
FORMAT = $1::$2

What is bassicly does is convert the following search:
device="SFW" date=2016-11-13 time=12:53:08 timezone="CET" device_name="SFVUNL" device_id=C0100999CRJ6G4W log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=8 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="Secure Socket Layer Protocol" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="PortA" out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip= src_country_code=R1 dst_ip= dst_country_code=NLD protocol="TCP" src_port=21473 dst_port=443 sent_pkts=8 recv_pkts=7 sent_bytes=2725 recv_bytes=2295 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=8080 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2960042848" vconnid="" hb_health="No Heartbeat"

field = value

field:device value:SFW
field:date value:2016-11-13
field:time value:12:53:08
etc. etc.

Is this possible with logstash ?


(Mark Walkom) #2

Yep, check out

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.