[source::...(/|\\)var(/|\\)log(/|\\)splunk(/|\\)itsi*] TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N%z LINE_BREAKER =([\r\n]+)\d{4}-\d{2}-\d{2}\s SHOULD_LINEMERGE = false TRUNCATE = 200000 MAX_TIMESTAMP_LOOKAHEAD = 29 sourcetype = itsi_internal_log EXTRACT-component = ^[^\[\n]*\[(?P[^\]]+) EXTRACT-sub_component = ^[^\]\n]*\]\s+\[(?P[^:\]]+) EXTRACT-log_level = ^[^\[\n]*\s+(?P(?:\w+))\s+\[ [itsi_internal_log] description = ITSI Internal Log [itsi_summary:metrics] KV_MODE = none INDEXED_EXTRACTIONS = csv [itsi_notable:event] KV_MODE = none INDEXED_EXTRACTIONS = JSON TRUNCATE=100000 [itsi_notable:group] KV_MODE = none INDEXED_EXTRACTIONS = JSON TRUNCATE=100000 [itsi_notable:audit] KV_MODE = none INDEXED_EXTRACTIONS = JSON TRUNCATE=100000 [itsi_notable:archive] KV_MODE = none INDEXED_EXTRACTIONS = JSON [itsi_notable:comment] KV_MODE = none INDEXED_EXTRACTIONS = JSON TRUNCATE=100000 [itsi_im_metrics] description = For ITSI IM metrics. ## For the data collected by VMware Metrics TA [vmware_inframon:inv:datastore] KV_MODE = none [vmware_inframon:inv:hostsystem] KV_MODE = none [vmware_inframon:inv:vm] KV_MODE = none [vmware_inframon:inv:clustercomputeresource] KV_MODE = none [vmware_inframon:tasks] KV_MODE = none [vmware_inframon:events] KV_MODE = none [ta_vmware_hierarchy_agent] REPORT-hydraloggerfields = hydra_logger_fields ## Original from SA-Hydra [hydra_scheduler] REPORT-schedulerfields = hydra_scheduler_log_fields [hydra_worker] REPORT-workerfields = hydra_worker_log_fields REPORT-pool_name_field = pool_name_field_extraction [source::.../var/log/splunk/*_configuration.log] REPORT-pool_name_field = pool_name_field_extraction [hydra_gateway] REPORT-gatewayfields = hydra_gateway_log_fields [hydra_access] REPORT-gatewayfields = hydra_access_log_fields [source::.../var/log/splunk/itsi_content_packs_install.log*] EXTRACT-content_pack_id = ^[^=\n]*Installation\s+of\s+Content\s+Pack\s+with\s+content_pack_id=(?P[^ ]+)