admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e9fe63ebb6'
${ noResults }
Splunk_Deploiement/deployment-apps/Splunk_TA_vcenter/default/props.conf

252 lines
8.9 KiB
Raw Blame History

# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Splunk Inc. Splunk for VMWare vCenter Properties File
#
#props.conf - This file defines properties for different inputs
#Stanzas defined for Windows vcenter server 6.x
[source::(?-i)...\\VMware\\vCenterServer\\logs\\perfcharts\\stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0
[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true
[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
#These files are to be parsed as single line events, always
[source::(?-i)...\\VMware\\vCenterServer\\logs\\vmware-vpx\\vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$
[source::(?-i)...\\VMware\\vCenterServer\\logs\\vws\\vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::...\\VMware\\Infrastructure\\...]
sourcetype = vmware:vclog:tomcat
###From VMWare v3.4.5,support for vCenter Server 5.x has ended.###
#Stanzas defined for Windows vcenter server 5.x
[source::(?-i)...\\VMware VirtualCenter\\Logs\\cim-diag.log(?:.\d+)?]
sourcetype = vmware:vclog:cim-diag
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
[source::(?-i)...\\VMware VirtualCenter\\Logs\\stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\[\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
#These files are to be parsed as single line events, always
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
#Stanzas defined for Windows vcenter server 5.x and 6.x
[source::...\\VMware\\...]
sourcetype = vmware:vclog
#Stanzas defined for Linux Server Appliance 6.x
[source::(?-i).../var/log/vmware/perfcharts/stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0
[source::(?-i).../var/log/vmware/vpxd/vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true
[source::(?-i).../var/log/vmware/vpxd/vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
#These files are to be parsed as single line events, always
[source::(?-i).../var/log/vmware/vpxd/vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$
[source::(?-i).../var/log/vmware/vws/...]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::.../var/log/vmware/...]
sourcetype = vmware:vclog
MAX_TIMESTAMP_LOOKAHEAD = 25
###From VMWare v3.4.5,support for vCenter Server 5.x has ended.###
#Stanzas defined for Linux Server Appliance 5.x
[source::(?-i).../var/log/vmware/vpx/cim-diag.log(?:.\d+)?]
sourcetype = vmware:vclog:cim-diag
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::(?-i).../var/log/vmware/vpx/stats.log(?:.\d+)?]
sourcetype = vmware:vclog:stats
MAX_TIMESTAMP_LOOKAHEAD = 25
#stats.log contains both single and multi-line events - like java stack traces
#optional return carriage - for first event - which we discard, then a square bracket and a timestamp
LINE_BREAKER = ([\r\n]+)\[\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
SHOULD_LINEMERGE = false
TRUNCATE = 0
[source::(?-i).../var/log/vmware/vpx/vpxd-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = true
[source::(?-i).../var/log/vmware/vpx/vpxd-alert-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-alert
MAX_TIMESTAMP_LOOKAHEAD = 80
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+\**)\[?\d{4}-\d{2}-\d{2}[T\s]\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:[\+\-]\d{2}\:\d{2})?Z?\s+\[?
#These files are to be parsed as single line events, always
[source::(?-i).../var/log/vmware/vpx/vpxd-profiler-\d+.log(?:.\d+)?]
sourcetype = vmware:vclog:vpxd-profiler
LINE_BREAKER = ([\r\n]+)
# Increase default Truncate value (10000 bytes)
TRUNCATE = 30000
MAX_TIMESTAMP_LOOKAHEAD = 25
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
EXTRACT-extract_kv_pairs = (?<key>.+)[\s](?<value>[^\s]+)$
[source::(?-i).../var/log/vmware/vpx/vws.log(?:.\d+)?]
sourcetype = vmware:vclog:vws
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::(?-i).../var/log/vmware/vpx/tomcat/logs/...]
sourcetype = vmware:vclog:tomcat
KV_MODE = xml
FIELDALIAS-generic-field = level as Level, message as Message
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::.../var/log/vmware/vpx/...]
sourcetype = vmware:vclog
MAX_TIMESTAMP_LOOKAHEAD = 25
[source::(?-i).../var/log/vmware/vpx/sms.log(?:.\d+)?]
sourcetype = vmware:vclog:sms
MAX_TIMESTAMP_LOOKAHEAD = 25
#Following log files are not available for vcenter server 5.x and 6.x.
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vim-tomcat-shared.log(?:.\d+)?]
sourcetype = vmware:vclog:vim-tomcat-shared
MAX_TIMESTAMP_LOOKAHEAD = 25
#Stanza defined for Linux Server Appliance 5.5 and 6.x
[vclog]
SHOULD_LINEMERGE = false
TRANSFORMS-vmwvclogsourcetype = set_vclog_sourcetype
# Field Extractions for vCenter logs
[vmware:vclog:vpxd]
EVAL-Object = coalesce(Object, sub)
REPORT-vpxd-5x = vc_vpxd_fields_5x
REPORT-vpxd-6x = vc_vpxd_fields_6x
TRANSFORMS-null1-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null1-6x = vmware_vpxd_level_null_6x
TRANSFORMS-null4 = vmware_vpxd_retrieveContents_null
TRANSFORMS-null5 = vmware_vpxd_null
[vmware:vclog:vws]
REPORT-vws-5x = vc_vws_fields_5x
REPORT-vws-6x = vc_vws_fields_6x
[vmware:vclog:stats]
REPORT-stats-5x = vc_vws_fields_5x
REPORT-stats-6x = vc_stats_fields_6x
[vmware:vclog:cim-diag]
REPORT-cim-5x = vc_cim_fields_5x
[vmware:vclog:sms]
REPORT-sms = vc_sms_fields
[vmware:vclog:vpxd-profiler]
TRANSFORMS-null3-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null3-6x = vmware_vpxd_level_null_6x
EXTRACT-extract_kv_pairs = (vpxd-profiler\s)?(?<key>.+)[\s](?<value>[^\s]+)
[vmware:vclog:vpxd-alert]
TRANSFORMS-null2-5x = vmware_vpxd_level_null_5x
TRANSFORMS-null2-6x = vmware_vpxd_level_null_6x
[vmware:vclog:vim-tomcat-shared]
REPORT-tomcat = vc_vws_fields_5x
Reference in new issue View Git Blame Copy Permalink