Splunk_deploy/deployment-apps/Splunk_TA_esxilogs/default/props.conf

# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. 

####### INDEX TIME EXTRACTION ##########
[esxi]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:.*?(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{5})?)\s[^ ]+\s+[^ ]+\s+[^\->])|([\r\n]+)(?:.*?\w+\s+\d+\s+\d{2}:\d{2}:\d{2})(?:\s+[^ ]+\s+)+[^\->]
TZ = UTC
DATETIME_CONFIG = /etc/apps/Splunk_TA_esxilogs/default/syslog_datetime.xml

######### SYSLOG - DEFAULT DATETIME ###################
# When using syslog server if date time is not correctly extracted from events then use the default
# uncomment line below and remove custom date time above
#DATETIME_CONFIG = /etc/datetime.xml
#######################################################

TRANSFORMS-nullqueue = vmware_generic_level_null
TRANSFORMS-vmsyslogsourcetype = set_syslog_sourcetype,set_syslog_sourcetype_4x,set_syslog_sourcetype_sections
TRANSFORMS-vmsyslogsource = set_syslog_source

############ SYSLOG - HOST FIELD EXTRACTION #############
# When using syslog server host extraction can be done from event itself. For example if event has the following format:  "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#TRANSFORMS-vmsysloghost = set_host
#########################################################

##### DEFAULT VMWARE SEARCH TIME FIELD EXTRACTION #####
# The stanzas below are used to extract fields for ESXi log browser at search time.

[source::vmware:esxlog:...]
REPORT-fields = esx_hostd_fields_5x,esx_hostd_fields_6x, esx_generic_fields,esx_hostd_fields_syslogserver,esx_generic_fields_syslogserver,esx_hostd_fields_4x,esx_generic_fields_4x

[vmware:esxlog:vmkernel]
REPORT-vmkernel = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x

[vmware:esxlog:vmkwarning]
REPORT-vmkwarning = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x