You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
2.0 KiB
88 lines
2.0 KiB
[source::...(/|\\)var(/|\\)log(/|\\)splunk(/|\\)itsi*]
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N%z
|
|
LINE_BREAKER =([\r\n]+)\d{4}-\d{2}-\d{2}\s
|
|
SHOULD_LINEMERGE = false
|
|
TRUNCATE = 200000
|
|
MAX_TIMESTAMP_LOOKAHEAD = 29
|
|
sourcetype = itsi_internal_log
|
|
EXTRACT-component = ^[^\[\n]*\[(?P<component>[^\]]+)
|
|
EXTRACT-sub_component = ^[^\]\n]*\]\s+\[(?P<sub_component>[^:\]]+)
|
|
EXTRACT-log_level = ^[^\[\n]*\s+(?P<log_level>(?:\w+))\s+\[
|
|
|
|
[itsi_internal_log]
|
|
description = ITSI Internal Log
|
|
|
|
[itsi_summary:metrics]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = csv
|
|
|
|
[itsi_notable:event]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = JSON
|
|
TRUNCATE=100000
|
|
|
|
[itsi_notable:group]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = JSON
|
|
TRUNCATE=100000
|
|
|
|
[itsi_notable:audit]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = JSON
|
|
TRUNCATE=100000
|
|
|
|
[itsi_notable:archive]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = JSON
|
|
|
|
[itsi_notable:comment]
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = JSON
|
|
TRUNCATE=100000
|
|
|
|
[itsi_im_metrics]
|
|
description = For ITSI IM metrics.
|
|
|
|
## For the data collected by VMware Metrics TA
|
|
[vmware_inframon:inv:datastore]
|
|
KV_MODE = none
|
|
|
|
[vmware_inframon:inv:hostsystem]
|
|
KV_MODE = none
|
|
|
|
[vmware_inframon:inv:vm]
|
|
KV_MODE = none
|
|
|
|
[vmware_inframon:inv:clustercomputeresource]
|
|
KV_MODE = none
|
|
|
|
[vmware_inframon:tasks]
|
|
KV_MODE = none
|
|
|
|
[vmware_inframon:events]
|
|
KV_MODE = none
|
|
|
|
[ta_vmware_hierarchy_agent]
|
|
REPORT-hydraloggerfields = hydra_logger_fields
|
|
|
|
## Original from SA-Hydra
|
|
[hydra_scheduler]
|
|
REPORT-schedulerfields = hydra_scheduler_log_fields
|
|
|
|
[hydra_worker]
|
|
REPORT-workerfields = hydra_worker_log_fields
|
|
REPORT-pool_name_field = pool_name_field_extraction
|
|
|
|
[source::.../var/log/splunk/*_configuration.log]
|
|
REPORT-pool_name_field = pool_name_field_extraction
|
|
|
|
[hydra_gateway]
|
|
REPORT-gatewayfields = hydra_gateway_log_fields
|
|
|
|
[hydra_access]
|
|
REPORT-gatewayfields = hydra_access_log_fields
|
|
|
|
[source::.../var/log/splunk/itsi_content_packs_install.log*]
|
|
EXTRACT-content_pack_id = ^[^=\n]*Installation\s+of\s+Content\s+Pack\s+with\s+content_pack_id=(?P<content_pack_id>[^ ]+)
|