From 8eaea05bc30a3b537f4bdee836f9c7c2a7266e7e Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 15 May 2020 15:50:00 -0700 Subject: [PATCH 1/2] Fix regex for new statistic in syslog-ng 3.27 * Update `sc4s_internal.conf.tmpl` to update regex to handle new connection statistic in syslog-ng version 3.27 --- package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index 1ce291f..d2a9c0c 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -9,7 +9,7 @@ log { rewrite { subst('Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global")); - subst('(?[^= ]+)=\x27(?[^\(]+)\((?[^,\)]+)(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', + subst('(?[^= ]+)=\x27(?[^\(]+)\((?\S+(?=\)=))(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}} ', value("MESSAGE") flags("utf8" "global") From a84f57d8fa8a29b160d487a4a5244511ee4876a7 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 16 May 2020 09:47:23 -0400 Subject: [PATCH 2/2] Fixed test case for corrected new metric name and for vs-code execution with -det args --- package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl | 4 ++-- tests/test_common.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index d2a9c0c..0bfba04 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -1,13 +1,13 @@ log { source(s_internal); - if (match("^Log statistics; " value("MESSAGE"))) { + if (match("Log statistics; " value("MESSAGE"))) { rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics"), index("em_metrics")) }; parser {p_add_context_splunk(key("sc4s_metrics")); }; rewrite { - subst('Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); + subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global")); subst('(?[^= ]+)=\x27(?[^\(]+)\((?\S+(?=\)=))(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}} diff --git a/tests/test_common.py b/tests/test_common.py index d826ade..d2b54f2 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -109,14 +109,14 @@ def test_fallback(record_property, setup_wordlist, setup_splunk, setup_sc4s): def test_metrics(record_property, setup_wordlist, setup_splunk, setup_sc4s): st = env.from_string( - 'mcatalog values(metric_name) WHERE metric_name="syslogng.d_*#0" AND ("index"="*" OR "index"="_*") BY index | fields index') + 'mcatalog values(metric_name) WHERE metric_name="syslogng.*" AND ("index"="*" OR "index"="_*") BY metric_name | fields metric_name') search = st.render() resultCount, eventCount = splunk_single(setup_splunk, search) record_property("resultCount", resultCount) - assert resultCount == 1 + assert resultCount != 0 def test_tz_guess(record_property, setup_wordlist, setup_splunk, setup_sc4s):