Which is the best way to extract fields: field extractor, rex and eval...
Out of three ways to extract the fields, 1. BY using `rex` or `eval` command in search 2. By using `field extractor` option 3. By adding entries to the `prop.conf` and `transforms.conf` Currently, I am...
View ArticleHow to configure props.conf for line breaking and time recognition for mixed...
How should props.conf be set up to both line break and time recognise normal events (first 2 lines) and ones with an XML payload ? INFO 2016-07-05 12:03:39,123 (com.CacheService) - Caching element=[...
View ArticleMonitoring logs on a Windows forwarder, how do I configure line breaking so...
Hi, I have a forwarder on a Windows server that is pulling logs from a folder. Logs are in a single file (multiple lines - each line per event). Each event for that index contains multiple lines in...
View ArticleCan you tell me what I am doing wrong with my props.conf for this JSON file?
All, I have the following little JSON dump which works perfectly out of the box. But for best practices I was writing out my entire props.conf. [root@SERVER bin]# ./callstatus.sh { "current": {...
View ArticleSplunk conf file precedence: Can I have multiple props.conf files for the...
I have syslog coming into 2 forwarders. I have the cisco app tagging the data for the Cisco Security Suite App. I wanted to add a few lines to change the index to a new index instead of the default...
View ArticleHow to find where an extracted field was created that appears in searches?
Trying to find where a field was created that appears in a search against our BlueCoat proxy logs. The field is **s_supplier_ip**. I have searched all of our indexers, heavy and light forwarders, and...
View ArticleHow to break Weblogic JVM events using regex with multiple timestamps &...
Hi All, I have the following JVM logs: May 8, 2016 1:26:26 AM IST Warning Socket BEA-000449 Closing socket as no data read from it on x.x.x.x:x,x during the configured idle timeout of 5 secs...
View ArticleDoes props.conf support wildcards?
All, I found myself writing this props.conf today. Say I have this: [tomcat:src:server] EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source EXTRACT-containerid =...
View ArticleHow to edit my props and transforms.conf on an indexer to filter out certain...
I am trying to filter out certain Windows Events before they are indexed. I need to do this at the indexer if at all possible. I have tried to follow guidelines posted at...
View ArticleWhy is my nullQueue configuration not working at app level?
I would like to eliminate the unnecessary content in the events because I have a small license. I want to remove the text and 20 `.` characters from each of the events. So I added two stanzas in...
View ArticleHow to edit my regex to extract the type and message fields for the exception...
I am trying to extract the type and message field for the exception information in the application logs. I have abstracted the logs because they are quite long. The logs can have between 1 to 3...
View ArticleEvents breaking on dates instead of the must break only on param
from btools prop list run on search head. The events still break on dates within the events rather than the "---------" so we have a bunch of partial events being indexed. [sourcetypes] ANNOTATE_PUNCT...
View ArticleWhy do a few stanzas in props.conf have disabled=false and no specified value...
I don't see any proper documentation, why `disabled = false` is in props.conf, below is my stanza [WebService] category = Application description = wEb SeRvice logs disabled = false NO_BINARY_CHECK =...
View ArticleHow to edit our props.conf and transforms.conf to parse a CSV file we are...
I am trying to configure the props and transforms conf files for logs that's in .csv format that we're querying via a virtual index in Hunk. My props.conf file is configured as follows:...
View ArticleNeed help with props on multiline event
We're bringing in syslog's from datapower units, and they have a rough log setup: Jul 22 09:00:20 10.214.8.104 [0x80c0003f][xxxxxxSSOSPDebug][info] xmlfirewall(SSOAuditLogFW):...
View ArticleHaving some trouble with an infinite forwarding loop - Windows Event Logs
Hello I'm having a problem with Windows Event logs coming into Splunk. Windows Events log every time that the Forwarder connects to the Indexer, generating about 25GB of data per day. I had this fixed,...
View ArticleHow to configure Splunk to break events after an empty line or before certain...
We have the logs like below pattern. We want to break the events after an empty newline or starting before `ERROR:` or starting before `TypeError: ` Can you please tell us how to adjust this props.conf...
View ArticleHow would you manipulate the host name at index time based on serverclass?
What would a props/transform look like on an indexer that would append to the hostname field at index time based on the serverclass of the forwarder sending events? If we are launching different...
View Articleunderstanding search time vs index time
Despite having recently finished the Splunk Admin course, I'm still fuzzy on the terms "index-time" and "search-time" especially when it comes to actually configuring the indexer and search head in a...
View ArticleHow do I redirect data to a different set of indexers via my heavy forwarder?
All, I want to set aside a handful of indexers to store important data. I have a heavy forwarder setup. So should be an option in transforms.conf to redirect specific sources.. But for the life of me...
View Article
