Skip to content

Commit

Permalink
updates for dedicated port
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed Feb 10, 2020
1 parent 5a6ebd1 commit a101417
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 1 deletion.
2 changes: 1 addition & 1 deletion package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Cisco UCM
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
{{- $context := dict "port_id" "CISCO_UCM" "parser" "rfc3164" }}
{{- $context := dict "port_id" "CISCO_UCM" "parser" "cisco_ucm" }}
{{- tmpl.Exec "t/source_network.t" $context }}

log {
Expand Down
1 change: 1 addition & 0 deletions package/etc/context_templates/splunk_index.csv.example
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#cisco_ios,index,netops
#cisco_ise,index,netauth
#cisco_nx_os,index,netops
#cisco_ucm,index,main
#local_example,index,main
#forcepoint_webprotect,index,netproxy
#fortinet_fortios_event,index,netops
Expand Down
17 changes: 17 additions & 0 deletions package/etc/go_templates/source_network.t
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,23 @@ source s_{{ .port_id }} {
{{ else if eq .parser "cisco_meraki_parser" }}
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
{{ else if eq .parser "cisco_ucm" }}
parser {
#Oct 14 2015 05:50:19 AM.484 UTC
#Apr 21 19:01:35.638 UTC
date-parser(format(
'%b %d %Y %I:%M:%S %p.%f %Z',
'%b %d %H:%M:%S.%f %Z'
)
template("$3"));
};
rewrite {
set("cisco_ucm" value("fields.sc4s_syslog_format"));
set("cisco_ucm" value("fields.sc4s_vendor_product"));
set("$HOST_FROM" value("HOST") );
set("$2" value("HOST") condition(match("^..." template("${2}"))) );
set("$4" value("MESSAGE"));
};
{{ else if eq .parser "no_parse" }}
rewrite(set_no_parse);
{{ else }}
Expand Down

0 comments on commit a101417

Please sign in to comment.