How to configure time format in props.conf to parse the original time in the...
I've got logs that have time being sent to a syslog - the syslog is also putting a time on it to track when the logs hit the syslog. I want Splunk to parse the original time in the log, and I've tried...
View ArticleSending HEC data to Nullqueue
We are using HEC collector endpoint to consume logs from FluentD, we recently identified filtering opportunity and trying to apply props/transforms to send data to null queue which is not working....
View ArticleField extraction using props.conf and transforms.conf
Hello, This is what my field extraction looks like in the GUI: Name- `source::/home/user/logs/* : EXTRACT-request_id` Type- `Inline` Extraction/Transform- `Request\sID:\s(?P[0-9a-zA-Z\:\.\-\@]+)` App-...
View ArticleWhy is my data not parsing correctly?
I am trying to make sure I know how to configure an environment to ingest weblogs that are correctly parsed and I am running into trouble in that I am only getting 1 single event. I have used feedback...
View ArticleIs there any way to find out that my sourcetype is reading props
Is there any way to find out that my sourcetype is reading props? does it have any logs to check that whats all props my sourcetype is leveraging
View ArticleRaspberry Pi Universal Forwarder Bug Report for...
On a Raspberry Pi 3 armv7l GNU/Linux, `INDEXED_EXTRACTIONS=JSON` in the `props.conf` file results in unrecoverable JSON StreamId processing errors: `05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker...
View ArticleUse hostname variables in index_time EVAL
Hi everyone, I am trying to add a custom field on every events that coming from a Heavy-Forwarder, so that from search I can know which HF the evnets are going thru. Here is my configuration in a HF:...
View Articleprops.conf timestamp clarification
I have json data that can vary greatly in size with the timestamp field coming at the end of each event. I'm able to parse all the timestamps correctly using the config TIME_PREFIX="timestamp":+ except...
View ArticleLine breaking for output via Powershell Script
I have created an app with for running powershell script which gives output as below- @{Date=05/08/2020; ARRAY=Server1; LATEST SNAPSHOT(In Days)=1; LATEST SNAPSHOT DATE=05/07/2020; OLDEST SNAPSHOT(In...
View ArticleTIMESTAMP_PREFIX not finding timestamp in JSON structure.
I need some help getting me config right in pros.conf. When the data comes I can see the _time is not set to the value passed for TimeStamp. It is set to the time the event was ingested. For legacy...
View ArticleEvents from same file getting separate timestamps
I have json files that have multiple events per file. However when I ingest the data, Splunk parses some of the timestamps correctly and gives other events from the same file the timestamp of when the...
View ArticleHow do I exclude certain emails from being indexed?
We have recently turned on journaling within MS Exchange which basically sends a copy of every item to a journaling mail box. We know the email address the process uses and this appears in the message...
View ArticleMultiple timestamp fields with same field name
I have some json data events that has multiple "date" fields. The date field I am looking to use as my timestamp comes at the end of every event and it appears that Splunk is using whichever date field...
View ArticleNeed to remove prefix from json array.
Need to remove prefix from json array. I want to remove everything before {"id" {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[{"id"
View ArticleMissing logs for eventcode 4776 (Windows TA installed on universal forwarder...
Hello, I'm able to receive almost all eventcodes for `wineventlog:security` but missing the logs for eventcode 4776 . I have the Windows TA app installed on the universal forwarder and search head. I...
View ArticleTime Prefix Question
Hello All I have a time prefix question Here is my timestamp May 20 10:59:30 svr-orw-nac-01 2020-05-20 17:59:30,646 May 20 11:01:01 svr-ies-nac-02 2020-05-20 18:01:01,389 I am setting props.conf to be...
View ArticleCan you apply transforms to all events meant for a specific index?
In my testing environment I have three main indexes that are specific to the data stored within them. I want to change the host value of all events by appending a string at the end of the host at index...
View ArticleLine breaking doesn'twork and my event is divided in 2 events
the log is parsed in bad way. that's the props.conf: SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)Data\:\s\d{14} MAX_EVENTS = 256 TRUNCATE = 10000 TIME_PREFIX = ^Data\:\s TIME_FORMAT = %d%m%Y%H%M%S...
View ArticleSetting up Splunk App for Windows Infrastructure with Splunk Add-on for...
Hello Folks, I am trying to set up Splunk App for Windows Infrastructure for easier dashboarding and management, however, despite days of research, I am still unable to fix/solve the problem regarding...
View ArticleHow to index events (CSV file from universal forwarder) based on the time field?
I am trying to index a CSV file from UF, which contains some historical data. Below is the sample of the events. Somehow the events are not getting indexed based on the timestamp from the CSV file....
View Article