How to configure multiple sourcetypes for a single monitored file?
Hi. I have a single very huge file with different formats. So I decided to create 3 different sourcetypes for this single file. I tried the below, but I did not succeed. Can any one point out where am...
View ArticleHow to extract fields from a multiline header followed by structured data...
I have a sourcetype that is in CSV format and I'd like to extract fields from the multiline header that proceeds these files coming in. Each new line in the header begins with `#` and these lines are...
View ArticleWhat is the precedence for "SEDCMD" attribute?
I think the precedence for "SEDCMD" attribute within single stanza is ASCII order. For example props.conf: [foo] SEDCMD-01 = s/foo/bar/g SEDCMD-02 = s/bar/foo/g In this case, SEDCMD-01 is done firstly...
View ArticleHow to anonymize data using REGEX in transforms.conf for an undefined number...
Hi, I would like to anonymize data (data is file system path) using REGEX. I succesfully managed to hide data like IP, Credit Card Number, etc. But not able to replicate the setup for an undefined...
View ArticleI am able to extract a field using rex and sed in a search, but why is the...
Hello Splunkers I am currently using the following regex+sed to make one of my extracted fields usable. Trying to avoid having to do this by adding **SEDCMD** entry to my props.conf for the specific...
View ArticleSplunk TA for Suricata: Should TIME_PREFIX=event_second": be changed to...
Our suri nodes have "timestamp" as a prefix for {"timestamp":"2016-02-29T10:11:26.037993+0100", "flow_id":140671543700208, "in_iface":"etthxxx", "event_type":"alert", "src_ip":"198.51.44.3",...
View ArticleCan Splunk do filtering based on the index name rather than source or...
We have a condition where we need to filter out data based on the byte count in the log. We have collapsed the source and sourcetype names coming from different servers and we need to be specific based...
View ArticleWhy are monitored JSON files on a universal forwarder getting indexed with an...
I am doing a web scraping project using Splunk and Scrapy. I have a server that's responsible for web scraping and has the universal forwarder installed. The forwarder will forward the scraped data,...
View ArticleWhy is my regex for SEDCMD in props.conf not removing repeated dashes when...
My developers are adding dashes `---` in their logs all over. Sometimes 1.. sometimes 10 dashes. Makes them look really ugly in Splunk. Hoping to remove them using SEDCMD. Any idea why this isn't...
View ArticleDoes the Splunk for DNS app work with Bluecat DNS logs?
Trying to get this app running against Bluecat DNS logs and I'm having issues with two of the field extractions: DNS_Type DNSIP Does the app work with Bluecat DNS logs? Thx
View ArticleHow to configure props.conf and transforms.conf to replace host with FQDN in...
Hello, New Splunk user here. I have a syslog input consuming messages from a bunch of different hosts. Most PTR records resolve just fine and the host is correctly assigned. But I have a couple of IPs...
View ArticleHow can i split a json array in mutiple events?
Hello Im trying to split a json Array into multiple Events in the props.conf Whats the best way to do this? Here is the json example: { "Applications": [ { "outputname": "Adobe Flash Player",...
View ArticleIndexing odd multiline events
I've got a log file we're monitoring which outputs it's events in a strange format I'm struggling to index correctly. An example of the events are: BSE:16/02/16 13:55:47 Thread:007528 Completed...
View ArticleAnonymize Data in Splunk Search
Hey, I am running a local instance of splunk for testing purposes. The aim is toAnonymize certain parts of the data that can be searched. In my files there were no props.conf or transforms.conf so I...
View ArticleField extraction from lines with different fields from same source
I have a source from which I am collecting logs via syslog. My challenge is that the log files send by same source contain lines that are not consistent in terms of fields. Pl see below. Mar 11...
View ArticleWhy is the configuration not applied immediately when a knowledge object is...
Hi forum, I'm currently fighting with an installation of a Searchhead. When a Knowledge Object is created the configuration takes "a while" before it is applied. the behavior is reproducable by e.g.:...
View Articlesourcetype isn't parsing DHCP data correctlyon indexer but does when I...
I am attempting to parse windows DHCP data, for those who aren't familiar with the format, the logs have a description which never changes from lines 1-32 of every file, on line 33 is the header and...
View ArticleHow to configure Splunk to index NetApp CIFS logs in XML format?
I am having issues configuring Splunk to Index NetApp CIFS logs in XML format. Here is an example of 3 events: 4656Open Object101.3CIFS000x8020000000000000Audit...
View ArticleWhy is one transform overriding the other with my current configuration?
Hey there, I have the following in my props.conf file: [tomcat-appl] TRANSFORMS-set = createsource, instance This takes a monitored folder I have (with a dozen or log files) all set to the sourcetype...
View ArticleAnonymize only Child Nodes
Hello, I was wondering could anyone help me figure out the sed script required and regex to Anonymize child nodes from xml - The difficulty seems to be due to the fact each node takes it's own line...
View Article