单机版splunk创建索引和重写source,sourcetype,原日志保持不变

indexes.conf

[custom]

homePath   = $SPLUNK_DB\custom\db

coldPath   = $SPLUNK_DB\custom\colddb

thawedPath = $SPLUNK_DB\custom\thaweddb

tstatsHomePath = volume:_splunk_summaries\custom\datamodel_summary

maxMemMB = 20

maxConcurrentOptimizes = 6

maxHotIdleSecs = 86400

maxHotBuckets = 10

maxDataSize = auto_high_volume

 

input.conf

[tcp::60002]

sourcetype=custom-log

connection_host=dns

index=custom

 

props.conf

[custom-log]

TRANSFORMS-source = set-source

TRANSFORMS-sourcetype = set-sourcetype

 TRANSFORMS-sourcetype = set-rawdata

 

transforms.conf

[set-source]

REGEX = <tag>app_id:(.*),log_type:(.*)<tag>

FORMAT = source::$1

DEST_KEY = MetaData:Source

WRITE_META = true

 

 

[set-sourcetype]

REGEX = <tag>app_id:(.*),log_type:(.*)<tag>

FORMAT = sourcetype::$1##$2

DEST_KEY = MetaData:Sourcetype

WRITE_META = true

 

 

[set-rawdata]

REGEX = <tag>app_id:(.*),log_type:(.*)<tag>(.*)

FORMAT = $3

DEST_KEY = _raw

 

 

public class InputTest {

 

public static void main(String[] args) throws Throwable {

//send(60001, "2008-10-30 14:15:21 mightyhost awesomeftpd INFO Attempt to login by user: root: login FAILEDaaaaaaaaaaddddde.\r\n\r\n");

send(60002,"<tag>app_id:quguilai,log_type:cuostlog<tag> test log");

 

}

 

private static void send(int port, String message) throws UnknownHostException, IOException {

Socket socket = new Socket("localhost", port);

   // 向服务端程序发送数据

   OutputStream ops = socket.getOutputStream();    

   OutputStreamWriter opsw = new OutputStreamWriter(ops);

   BufferedWriter bw = new BufferedWriter(opsw);

     

   bw.write(message);

   bw.flush();

   

   ops.close();

   opsw.close();

   bw.close();

   socket.close();

}

}