splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Netapp Ontapp wrong regex

Open ehlo550 opened this issue 2 years ago • 2 comments

https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf

patterns('^[A-Za-z0-9\-\_\.]+: [0-9]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?<timestamp>[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)')

--> ^[A-Za-z0-9\-\_\.]+: [0-9a-f]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?<timestamp>[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)

I send a capture to @mateuszpierzchala-splunk in slack to proof

ehlo550 avatar Oct 05 '22 10:10 ehlo550

echo '<14>Oct 5 10:34:23 dcstef11: dcstef11: 0000002e.0012bbc8 01a345ef Wed Oct 05 2022 10:34:21 +02:00 [kern_audit:info:2602] 8123e812314d123f :: dcstef11:ontapi :: 10.10.10.10:45878 :: dcfast1:ocum :: aggr-check-spare-low :: Success:' > /dev/udp/172.20.20.20/514

ehlo550 avatar Oct 05 '22 10:10 ehlo550

there is also an issue with dtparse

                    format(
                        '%a %d %Y %H:%M:%S %z',
                        '%b %d %Y %H:%M:%S %z'
                    )
                    template("${.tmp.timestamp}")
                );

ehlo550 avatar Oct 05 '22 11:10 ehlo550

closed by #1880

mateuszpierzchala-splunk avatar Oct 25 '22 10:10 mateuszpierzchala-splunk