Skip to content

Instantly share code, notes, and snippets.

@jpclipffel
Created January 17, 2019 16:15
Show Gist options
  • Save jpclipffel/5a0a4fecb1ae5ddef943867ba8ee4ddc to your computer and use it in GitHub Desktop.
Save jpclipffel/5a0a4fecb1ae5ddef943867ba8ee4ddc to your computer and use it in GitHub Desktop.

Splunk - Swift SAA JSON logs

How to ingest Swift SAA (Swift Alliance Access) logs in Splunk

SAA confguration

The SAA must be configured to:

  • forwards its logs through syslog
  • use the JSON (not formatted) format

Splunk configuration

Input

Example input stanza to write in an input.conf:

[tcp://1234]
connection_host = dns
sourcetype = swift:saa
index = swift

Parsing

Simple props.conf stanza to remove the SAA logs header, and instructs Splunk to parse the payload as JSON:

[swift:saa]
SEDCMD-drop_saa_header = s/[^{]*//
KV_MODE = json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment