package splunktest;
import java.io.BufferedWriter;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.Socket;
public class InputTest {
public static void main(String[] args) throws Throwable {
Socket socket = new Socket("localhost", 60001);
// 向服务端程序发送数据
OutputStream ops = socket.getOutputStream();
OutputStreamWriter opsw = new OutputStreamWriter(ops);
BufferedWriter bw = new BufferedWriter(opsw);
bw.write("2008-10-30 14:15:21 mightyhost awesomeftpd INFO Attempt to login by user: root: login FAILED.\r\n\r\n");
bw.flush();
ops.close();
opsw.close();
bw.close();
socket.close();
}
}
放在system/default下
[tcp://60001]
connection_host = dns
sourcetype = ftpd-log
index = main
Define two new indexed fields with one regex
This example creates two indexed fields called username and login_result.
transforms.conf
In transforms.conf add:
[ftpd-login] REGEX = Attempt to login by user: (.*): login (.*)\. FORMAT = username::"$1" login_result::"$2" WRITE_META = true
This stanza finds the literal text Attempt to login by user:, extracts a username followed by a colon, and then the result, which is followed by a period. A line might look like:
2008-10-30 14:15:21 mightyhost awesomeftpd INFO Attempt to login by user: root: login FAILED.
props.conf
Add the following lines to props.conf:
[ftpd-log] TRANSFORMS-login = ftpd-login
fields.conf
Add the following lines to fields.conf:
[username] INDEXED=true [login_result] INDEXED=true
Restart Splunk for your configuration file changes to take effect.