Hey Splunkers,
It has been days since I installed a new app on our Splunk Enterprise system. The app seems to not be supported anymore as the last version was for Splunk v6.1 and I am on 6.4.
Anyway, I am trying to make it work now and have some problems with the scripted input. This is what my local/inputs.conf look like:
[script://$SPLUNK_HOME/etc/apps/TA-lastpass/bin/lastpass-log.py]
disabled = false
host = lastpass.com
interval = 3 1 * * *
source = lastpassapi
sourcetype = lastpass_logs
index = main
passAuth = admin
So, the script runs just fine. I run it and I have all the info that I need. However, only a few rows of it are being indexed. I am suspecting there is a filter on the transforms.conf and/or props.conf.
I want to get "everything" from what the script produces, and then I can extract fields with a search regex. How should I modify transforms.conf and/or props.conf to allow that?
Regards,
Evangelos
↧