Why did the DATE field change to RUNDATE in a CSV feed file and events are...
DATE field changed to RUNTIME in .csv feed file. Now 'date' data is showing up as the file modification time! I've got TIMESTAMP_FIELDS=RUNDATE and TIME_FORMATE=%Y-%m-%d (same as in the .csv file)....
View ArticleCan you regex or wildcard props Sourcetype stanzas?
Still haven't seen an official answer to this. Source and host can use regex patterns, but sourcetypes cannot. Even a splunk blog recommends a way that is well... not recommended:...
View ArticleHow to configure Splunk to use a field/column from a flat CSV file as the...
Hello, We have a CSV file which is flat file. It has a column named 'RUNDATE' where the date is in '2016-04-20' format. Currently, Splunk indexes all the lines in this CSV as time modified of the CSV...
View ArticleParsing a field, how can I tell if the value is an IP or a hostname (string)?
If I parse out a field, how can I tell if the value is an IP or a hostname? timestamp host error: Auth fail user1 from 1.2.3.4 timestamp host error: Auth fail user2 from host.machine.com While it's...
View ArticleHow do I make sure that every event starts parsing at the beginning of the line?
I'm running into a problem where some events are parsed in the middle versus from the beginning of the string. For the below data, I received the following 1. logMsgType: *dTrace* 2. logMsgType:...
View ArticleHow to edit my log4j sourcetype configuration on my Splunk forwarder for...
I have a java app that writes to a log file... I have configured a Splunk forwarder to forward this log (using source type 'log4j' ) to our Splunk indexer (central server located in different...
View ArticleHow do I remove STDOUT prefix from log4j on a server.log file?
I've got a log file that has some log4j entries like this: 2016-05-03 10:32:35,895 INFO [STDOUT] (http-0.0.0.0-8180-2) 2016-05-03 10:32:35,895 ERROR [com.somewhere.someservice] - Reason : .... Where...
View ArticleHow to edit my sourcetype in props.conf to prevent Splunk from splitting...
I've got my props.conf set up for reading entire files as one event as such: [sourcetypename] SHOULD_LINEMERGE = false LINE_BREAKER = ((*FAIL)) TRUNCATE = 999999999 MAX_EVENTS = 999999999 The file I am...
View ArticleNeed help with props.conf and transforms.conf for an XML file
Hi, I am indexing a set of XML files from an S3 bucket, and having troubles getting my config set up correctly. The XML structure looks like (though it actually has no line-breaks in it); My...
View ArticleSaving extracted field in Props.conf Vs Using regex extraction directly in...
We had search query were we extract field 1 and field 2 using regular expressions. We have doubt here that which of the dashboards will load faster case 1: dashboard whose extracted fields are saved in...
View ArticleEVAL not working in props.conf but works fine in search for converting IP...
Hello Experts, I have a field called "src" which contains IP addresses in decimal format but I want to change the format to IPv4. I have an eval as mentioned below: WORKS FINE FOR INLINE SEARCH eval...
View ArticleIs an entry in props.conf required to allow an entry in transforms.conf to be...
When the following question was asked in this forum: What is the role of transforms.conf vs. props.conf for field extraction? The answer was: The high-level answer is that props.conf says what rules...
View ArticleAre there pre-defined props and transforms.conf configurations for Equallogic...
Equallogic and Compellent use non-standard syslog formats when sending events. Are there pre-defined Splunk configurations (props.conf and transforms.conf) that will correctly parse these events?
View ArticleHow do I edit my props.conf for proper line breaking of my sample multiline...
Hello once again. Working with a distributed environment (Universal Forwarder > Heavy Forwarder > Indexer) I have a particular log file that writes a timestamp every line, though the "event"...
View ArticleWhere is the proper place to use INDEXED_EXTRACTIONS = JSON -- the indexer or...
[https://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html][1] shows this props.conf entry on the forwarder: [json_app] INDEXED_EXTRACTIONS=json KV_MODE=none However, this...
View ArticleSophos events not "sourcetyped" according to inputs.conf
Hello to the community! I am trying to index Sophos events into Splunk but I am facing a problem. I have set up the XML file of the Sophos Reporting Interface, I have all the logs exported to a folder...
View ArticleHow to index host specific event logs?
Hi, The overall scenario goes like this: I have multiple Active Directory servers in my environment. I want to index all the event id from one AD whereas I want only a few event id to index for a...
View Articlehow can I sift out TRACE and DEBUG entries so that splunk doesn't index them...
Hello, our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry in the inputs.conf file on each client. there is still on-going development work on...
View ArticleHow do I line break this data source?
ComputerTarget=EDITED; NeededCount=31; DownloadedCount=0; NotApplicableCount=82225; NotInstalledCount=31; InstalledCount=32; FailedCount=0 ComputerTarget=EDITED; NeededCount=202; DownloadedCount=0;...
View ArticlePulling data from Fluentd Plugin to Splunk, how do we transform the data to...
We are pulling data like Red Hat logs, Apigee, Ansible etc. from AWS through fluentd plugin which is forwarding data to our Heavy Forwarder in AWS, and then from that, the HF to another HF in a DMZ to...
View Article