search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
154 stars 111 forks source link

Netapp Ontapp wrong regex #1858

Closed ehlo550 closed 2 years ago

ehlo550 commented 2 years ago

https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf

patterns('^[A-Za-z0-9\-\_\.]+: [0-9]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?<timestamp>[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)')

--> ^[A-Za-z0-9\-\_\.]+: [0-9a-f]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?<timestamp>[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)

I send a capture to @mateuszpierzchala-splunk in slack to proof

ehlo550 commented 2 years ago

echo '<14>Oct 5 10:34:23 dcstef11: dcstef11: 0000002e.0012bbc8 01a345ef Wed Oct 05 2022 10:34:21 +02:00 [kern_audit:info:2602] 8123e812314d123f :: dcstef11:ontapi :: 10.10.10.10:45878 :: dcfast1:ocum :: aggr-check-spare-low :: Success:' > /dev/udp/172.20.20.20/514

ehlo550 commented 2 years ago

there is also an issue with dtparse

                    format(
                        '%a %d %Y %H:%M:%S %z',
                        '%b %d %Y %H:%M:%S %z'
                    )
                    template("${.tmp.timestamp}")
                );
mateuszpierzchala-splunk commented 2 years ago

closed by #1880