How to edit my props.conf for a custom field extraction based on the source...
I'm having issues creating a custom field extraction based on the source field. Here's all the information. inputs.conf - Heavy Forwarder [monitor:///mnt/splunkLogShare/TS2/...] disabled = 0 index =...
View ArticleHow to configure Splunk to break my sample log data into separate events, not...
Hi, I have the below log data: 16:37:56.875 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG splunk - {'externalRefId':'exr654321','message':'input:...
View ArticleHow to extract specific lines in a multiline event based on regex match?
I am trying to analyze exception logging that is written across multiple lines, and extract only certain lines of the event into fields. I have been reading documentation and posts which seem to...
View Article_time or time not being populated correctly from a CSV file
Having issues getting time right. My time is currently being populated by file creation time & not the 2nd column of the CSV file. In troubleshooting, I've extracted time out a couple times. DATE_...
View ArticleCannot merge events MUST NOT BREAK BEFORE not sticking.
Hello! Our application creates a log file a day. In the log file, every line is divided into a separate event. I am trying to have Splunk merge all the lines into one event. Simple right? Not in my...
View ArticleSplunk Add-on for Cisco UCS: Why is the timezone offset for certain sources...
I have two sources in Splunk that for some reason started to offset and I don't know why. sources - source="cisco:ucs:etherTxStats" OR source="cisco:ucs:etherRxStats" props.conf...
View ArticleTrying to get SNMP data into Splunk, why am I getting error "A possible...
I have followed the following links for getting SNMP Data into Splunk: http://blogs.splunk.com/2013/11/06/adventures-with-snmp-and-cisco-nexus-pt1/...
View ArticleHow to configure Splunk to break events that start with a certain pattern...
I have the logs like below pattern. I want to break the events that starts with `<94>1`and then timestamp<94>1 2016-08-31T17:31:25.633-07:00 hostname-1-p02.domain.com GAMFT - FTP Audit Log...
View ArticleHow to index everything on a Splunk index from a specified scripted source
Hey Splunkers, It has been days since I installed a new app on our Splunk Enterprise system. The app seems to not be supported anymore as the last version was for Splunk v6.1 and I am on 6.4. Anyway, I...
View ArticleHow to set date & time stamps across two lines in xml where time was already...
Hi Team Trying to ingest an xml file in the following raw format(extracted portion for sample but each event consists of much more values) 2015-08-08T00:00:0023:58:00MCP I have line_breaked based on...
View ArticleWhere and how to define TIME_FORMAT in props.conf?
I have props.conf in 3 different directories as follows: 1) Splunk_Home/etc/apps/learned/local/props.conf [splunk-config-too_small] PREFIX_SOURCETYPE = True SHOULD_LINEMERGE = False is_valid = True...
View ArticleHow to configure Splunk to parse and recognize key value pairs with brackets...
I have single event looking like below and trying to figure the best way for Splunk to recognize the key-value pairs. Ideally would have each line as a separate event. { "compsModelObjectName":...
View ArticleSome splunk events indexing without any date in them which makes manually...
Some splunk events indexing without any date in them which makes manually insert the date in search query to search.. Now how can I make them indexing with certain date format? Splunk version ;-6.1.8...
View Articletransforms and props.conf splitting sourcetype not matching
I'm trying to follow the pattern of matching a string and transforming the event into a new sourcetype. I'm using a sourcetype for syslog defined in inputs.conf; it is being read from logs....
View ArticleHow to configure Splunk to prevent line breaking events on ASCII character...
I have syslog messages arriving at the indexer with embedded ASCII form feed characters (#012). Splunk is breaking on these characters, and I want to avoid this. How can I tell Splunk not to break on...
View ArticleJSON - options either limits/tuncates events OR extract twice.
Hi Guys Pretty new to all this and struggling to understand all the other answers. I have a cronjob which is extracting CMDB data from service now in json format at 1am each day. its over writes a...
View Articlewhat could be the reason for some splunk sessions observed to be in the...
Default date in the Splunk session is observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format) Due to this Splunk session shows "No results" for these logs Some Splunk sessions do not...
View ArticleHow to edit my props.conf to extract the timestamp at the end of my sample...
I have the following syslog data and I need help extracting the timestamp field at the end of the event: Sep 6 06:07:20 2016-09-06 06: 07:20,165 192.168.0.0 CPPM_Dashboard_Summary 17000 1 0...
View ArticleHow do I change the date format from MMDDYYYY to DDMMYYYY to get my expected...
The following is my search and its result: Search 1: earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABCsWin("XYZ","abc12345678")` Result 1: No results found. Time format used in...
View ArticleIs there a way to disable a sourcetype in props.conf to no longer index these...
Hello, I would like to disable a sourcetype defined in props.conf. I do not want anymore events related to this sourcetype. There is no disabled=1 in props.conf. I found LEARN_SOURCETYPE though, but...
View Article