# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. 
#Splunk Inc.  Splunk for VMWare vCenter Properties File
#
#props.conf - This file defines properties for different inputs

#Stanzas defined for Windows vcenter server 6.x

[source::(?-i)...\\VMware\\vCenterServer\\logs\\perfcharts\\stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0

[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true

[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?

#These files are to be parsed as single line events, always
[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$

[source::(?-i)...\\VMware\\vCenterServer\\logs\\vws\\vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::...\\VMware\\Infrastructure\\...]
sourcetype = vmware:vclog:tomcat

###From VMWare v3.4.5,support for vCenter Server 5.x has ended.###
#Stanzas defined for Windows vcenter server 5.x

[source::(?-i)...\\VMware VirtualCenter\\Logs\\cim-diag.log(?:.\d+)?]
sourcetype = vmware:vclog:cim-diag
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false

[source::(?-i)...\\VMware VirtualCenter\\Logs\\stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\[\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0

[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true

[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?

#These files are to be parsed as single line events, always
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$

[source::(?-i)...\\VMware VirtualCenter\\Logs\\vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false

#Stanzas defined for Windows vcenter server 5.x and 6.x
[source::...\\VMware\\...]
sourcetype = vmware:vclog

#Stanzas defined for Linux Server Appliance 6.x

[source::(?-i).../var/log/vmware/perfcharts/stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0

[source::(?-i).../var/log/vmware/vpxd/vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true

[source::(?-i).../var/log/vmware/vpxd/vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?

#These files are to be parsed as single line events, always
[source::(?-i).../var/log/vmware/vpxd/vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$

[source::(?-i).../var/log/vmware/vws/...]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::.../var/log/vmware/...]
sourcetype = vmware:vclog
MAX_TIMESTAMP_LOOKAHEAD = 25

###From VMWare v3.4.5,support for vCenter Server 5.x has ended.###
#Stanzas defined for Linux Server Appliance 5.x

[source::(?-i).../var/log/vmware/vpx/cim-diag.log(?:.\d+)?]
sourcetype = vmware:vclog:cim-diag
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::(?-i).../var/log/vmware/vpx/stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\[\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0

[source::(?-i).../var/log/vmware/vpx/vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true

[source::(?-i).../var/log/vmware/vpx/vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?

#These files are to be parsed as single line events, always
[source::(?-i).../var/log/vmware/vpx/vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$

[source::(?-i).../var/log/vmware/vpx/vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::(?-i).../var/log/vmware/vpx/tomcat/logs/...]
sourcetype = vmware:vclog:tomcat
KV_MODE = xml
FIELDALIAS-generic-field = level as Level, message as Message
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::.../var/log/vmware/vpx/...]
sourcetype = vmware:vclog
MAX_TIMESTAMP_LOOKAHEAD = 25

[source::(?-i).../var/log/vmware/vpx/sms.log(?:.\d+)?]
sourcetype = vmware:vclog:sms
MAX_TIMESTAMP_LOOKAHEAD = 25

#Following log files are not available for vcenter server 5.x and 6.x.

[source::(?-i)...\\VMware VirtualCenter\\Logs\\vim-tomcat-shared.log(?:.\d+)?]
sourcetype = vmware:vclog:vim-tomcat-shared
MAX_TIMESTAMP_LOOKAHEAD = 25

#Stanza defined for Linux Server Appliance 5.5 and 6.x

[vclog]
SHOULD_LINEMERGE = false
TRANSFORMS-vmwvclogsourcetype = set_vclog_sourcetype

# Field Extractions for vCenter logs

[vmware:vclog:vpxd]
EVAL-Object = coalesce(Object, sub)
REPORT-vpxd-5x = vc_vpxd_fields_5x
REPORT-vpxd-6x = vc_vpxd_fields_6x
TRANSFORMS-null1-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null1-6x = vmware_vpxd_level_null_6x
TRANSFORMS-null4 = vmware_vpxd_retrieveContents_null
TRANSFORMS-null5 = vmware_vpxd_null

[vmware:vclog:vws]
REPORT-vws-5x = vc_vws_fields_5x
REPORT-vws-6x = vc_vws_fields_6x

[vmware:vclog:stats]
REPORT-stats-5x = vc_vws_fields_5x
REPORT-stats-6x = vc_stats_fields_6x

[vmware:vclog:cim-diag]
REPORT-cim-5x = vc_cim_fields_5x

[vmware:vclog:sms]
REPORT-sms = vc_sms_fields

[vmware:vclog:vpxd-profiler]
TRANSFORMS-null3-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null3-6x = vmware_vpxd_level_null_6x
EXTRACT-extract_kv_pairs = (vpxd-profiler\s)?(?<key>.+)[\s](?<value>[^\s]+)

[vmware:vclog:vpxd-alert]
TRANSFORMS-null2-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null2-6x = vmware_vpxd_level_null_6x

[vmware:vclog:vim-tomcat-shared]
REPORT-tomcat = vc_vws_fields_5x