You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello team, first of all I'm not sure if this be considered an issue it's more a question, my apologies for the inconvenient.
I created a parser for a data source called "VM Ware Tanzu", and I assigned a new sourcetype, source, and index because by default sc4s it was assigning a sc4s:fallback sourcetype, so we are good here.
Our customer wants to remove the ip address at the beggining of the sylos message and just start with the time stamp, like this:
2024-10-01T16:04:05.901971+00:00 paiement-plateforme-plateforme-entreprise [APP/PROC/WEB/0] - [tags@47450 app_id="c-41e9-ac71" app_name="obtention-taux" deployment="cf" index="84" instance_id="0" ip="10.152" job="juan_cell" organization_id="a81jsha" organization_name="org" origin="rep" process_id="a82c0" process_instance_id="4863-ad3c" process_type="web" product="VMware Tanzu Application Service" source_id="acfb" source_type="APP/PROC/WEB" space_id="bc332" space_name="dev" system_domain="system.com"] 2024-10-01T16:04:05.901Z "DEBUG"
This is the parser we are using:
the block parser is where the "parsing" of the event happens and enrichment of meta data
sample: <111> Mar 24 10:45:00 osnixexample: this is a test
block parser vmware_tanzu-parser() {
channel {
rewrite {
#set defaults these values can be overidden at run time by splunk_metadata.csv
r_set_splunk_dest_default(
index("test_team_2")
source("vmware:az:example")
sourcetype('vmware:nix:example')
#this value is used to lookup runtime settings such as index from splunk_metadata.csv
vendor("vmware")
product("tanzu")
#Common values are t_hdr_msg (BSD Style syslog without timestamp and host) and t_5424_hdr_sdata_compact RFC5424 with opti>
#These values will be automatically selected based on the format of the source the specific value is only needed in speci>
#template("t_hdr_msg")
);
}
Hello team, first of all I'm not sure if this be considered an issue it's more a question, my apologies for the inconvenient.
I created a parser for a data source called "VM Ware Tanzu", and I assigned a new sourcetype, source, and index because by default sc4s it was assigning a sc4s:fallback sourcetype, so we are good here.
Nevertheless the indexed data looks like this:
10.220.192.169 2024-10-01T16:04:05.901971+00:00 paiement-plateforme-plateforme-entreprise [APP/PROC/WEB/0] - [tags@47450 app_id="c-41e9-ac71" app_name="obtention-taux" deployment="cf" index="84" instance_id="0" ip="10.152" job="juan_cell" organization_id="a81jsha" organization_name="org" origin="rep" process_id="a82c0" process_instance_id="4863-ad3c" process_type="web" product="VMware Tanzu Application Service" source_id="acfb" source_type="APP/PROC/WEB" space_id="bc332" space_name="dev" system_domain="system.com"] 2024-10-01T16:04:05.901Z "DEBUG"
Our customer wants to remove the ip address at the beggining of the sylos message and just start with the time stamp, like this:
2024-10-01T16:04:05.901971+00:00 paiement-plateforme-plateforme-entreprise [APP/PROC/WEB/0] - [tags@47450 app_id="c-41e9-ac71" app_name="obtention-taux" deployment="cf" index="84" instance_id="0" ip="10.152" job="juan_cell" organization_id="a81jsha" organization_name="org" origin="rep" process_id="a82c0" process_instance_id="4863-ad3c" process_type="web" product="VMware Tanzu Application Service" source_id="acfb" source_type="APP/PROC/WEB" space_id="bc332" space_name="dev" system_domain="system.com"] 2024-10-01T16:04:05.901Z "DEBUG"
This is the parser we are using:
the block parser is where the "parsing" of the event happens and enrichment of meta data
sample: <111> Mar 24 10:45:00 osnixexample: this is a test
block parser vmware_tanzu-parser() {
channel {
rewrite {
#set defaults these values can be overidden at run time by splunk_metadata.csv
r_set_splunk_dest_default(
index("test_team_2")
source("vmware:az:example")
sourcetype('vmware:nix:example')
#this value is used to lookup runtime settings such as index from splunk_metadata.csv
vendor("vmware")
product("tanzu")
#Common values are t_hdr_msg (BSD Style syslog without timestamp and host) and t_5424_hdr_sdata_compact RFC5424 with opti>
#These values will be automatically selected based on the format of the source the specific value is only needed in speci>
#template("t_hdr_msg")
);
}
};
};
application vmware_tanzu[sc4s-syslog] {
filter {
tags(".source.s_VMWARE_TANZU");
};
parser { vmware_tanzu-parser(); };
};
Thanks in advance for your support and help.
The text was updated successfully, but these errors were encountered: