Why is Splunk importing header fields from CSV files as events?
Hi Guys, I do a data Input from a folder. The folder contains CSV files. Splunk imports all the data in a correct way, except one thing: Splunk imports the header fields as an event... but why? If I do...
View ArticleImporting data from a CSV file, how do I edit props.conf to assign a specific...
Hi Guys, I do data import from a CSV and I would like set the eventtime ( _time) to a specific column because the automatic timestamp assignment did not work for me. Is my config possible? What is...
View ArticleHow to edit our props.conf to assign a time field in our sample JSON event as...
Can you please tell us how to assign event log time (ALERT_TIMESTAMP fields value ) as the event timestamp (_time)? Seems the below props.conf entry is not working properly. Please review and provide a...
View ArticleSplunk Enterprise: index-time parsing configuration creating/ editing of...
Hello, 1. Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/local If is not there then must be created. In our case if in: $SPLUNK_HOME/etc/apps/ there...
View ArticleHow to edit my props.conf for proper line breaking of a large event by the ∑...
I am having trouble with being able to properly line break an event like the following: Here are the props I am using LINE_BREAKER = (\∑) SHOULD_LINEMERGE = false TIME_PREFIX = <6>...
View ArticleGenerating props.conf and transforms.conf from Splunk web
Hi all Since I'm quite new at this, I was wondering is it possible (on Windows) to generate props.conf and transforms.conf from Splunk Web (or to just slap some command from the command line)? I've set...
View ArticleHow to filter out audit id field from Brightmail logs in Splunk?
Hi Splunkers: I have an issue filtering out a field called **Audit ID**. Each email is assigned this number as it passes thru a mail exchange, so the conventional wisdom would be that if I search on...
View Articlesplunk changes not reflecting
I configured my server logs in splunk. When I saw the logs in splunk I realized I set up some wrong properties in props.conf. Now I rectify the properties in props.conf and restart server. Somehow I...
View ArticleWhy is the order of FIELD_NAMES in props.conf getting reorganized when I go...
I have a file I'm reading in with music history. Very simple tab delimited file with a props.conf entry. This entry is in the etc/apps//local directory. [music] FIELD_DELIMITER = tab FIELD_NAMES =...
View Articleprops.conf stanza and zip files containing logs
Hi everyone, yesterday I spent most of the day battling through transforms.conf and props.conf - with lucrative results. Today however, a slight anomaly occurred, please see below ... This works well...
View ArticleHow to update a lookup with a scheduled search by appending new data or...
I can't seem to find this scenario which is odd. Basically I want to update a list of usernames. I want to run an initial search over a time frame to create the initial lookup. I then want to run a...
View ArticleHow do I configure props.conf for Splunk to index a binary .dat file?
Hi, Today I encountered a strange thing in Splunk. I have Splunk 6.4.1 running on a Linux server. I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in...
View ArticleI created a field that has 3 values. How can I change one of the values from...
I created a field and it has 3 values. I just want change one of the values from WARNING to WARN using lookups(.CSV). I also want to know how to configure it in props.conf.
View ArticleHow to edit my current props and transforms.conf to eliminate the first 10...
I have a log that I want to throw the first 9 lines to the bit bucket, but I can’t seem to get the transforms.conf to do it. It’s doing the opposite of what I want it to do – it’s eliminating...
View ArticleHow to drop incoming deny logs from firewall logs
I am trying to filter out all inbound deny syslog that the firewall is sending I have a props.conf like this [srx_log] TRANSFORMS-srxDrop = srxDropDeny I have transforms.conf like this...
View ArticleWhy is there a 2 hour difference between _time and the actual events'...
I configured a 6.2 forwarder to send data to one of my receivers also running 6.2. Data is getting into the receivers, but the problem is, the data which is being pulled into the receiver has a 2 hour...
View ArticleIs it possible to configure INDEXED_EXTRACTIONS to parse both JSON and plain...
I had configured a JSON output in `/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/props.conf`: [my-sourcetype] INDEXED_EXTRACTIONS = json KV_MODE = json My questions is: majority logs for...
View ArticleHow to edit props.conf to adjust the default UTC timestamp?
Hello, I'm trying to adjust this raw data seen below. Our office is EST and the FireEye appliance is BST, but the test alerts I'm generating are coming in UTC. I've looked all over the place to change...
View ArticleProps.conf extractions
Any reason why my statement for props.conf isn't showing up as an extracted field? EXTRACT-kls_error = (?(kls_error_*)\w+) When I use just the rex in a search it gets the exact info that I need but...
View Articleextracting field using rex props.conf
I have data that looks like this: **** Error Wed Aug 24 09:36:52 CDT 204941272049412507 /nitro/com/t/Manager Cexception for the payment id - nitro.com.Exception: The field with id pg73180373180 failed...
View Article