how to parse json to extract multiple line event ?
i have one file json that contain many object like that : { "id": 1, "name": "toto", "price": 1.50, "tags": ["travel", "red"] } { "id": 2, "name": "toto", "price": 12, "tags": ["home", "green"] } i...
View ArticleMoral equivalent to | multikv forceheader=x in props/transforms?
I have some table formatted data coming into Splunk where the field names are on the second row. Creating a search that uses multikv is easy enough ... | multikv forceheader=2 What I'm wondering is how...
View ArticleSplunk Add-On for Cisco ESA: How to create props.conf and transforms.conf for...
Has anyone created props.conf and transforms.conf for the Splunk Add-On for Cisco ESA/IronPort AMP logs? Each step creates a log entry and the ESA App only does the MID. Each of the other events need...
View ArticleWindows event log XML not parsing with KV_MODE = xml
I have made the following change to a forwarder to send JUST applocker data as XML: [WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] disabled = 0 renderXml=1...
View ArticleWhen trying to forward IIS logs from one indexer to another indexer, why is...
From indexerA I am trying to forward Windows Event Logs and IIS Logs to indexerB. The Windows Event Logs are being forwarded properly, but the IIS Logs (sourcetype=iis) are not. (Splunk Enterprise...
View ArticleWhat is the correct parameter in props.conf for csv file ?
Hi all, i'm pretty new here. I need to assign a name to the fields of a .csv imported file, but it doesn't work. In the Props.conf File i'm using these setting: DATETIME_CONFIG = INDEXED_EXTRACTIONS =...
View ArticleHow to send month old logs to Splunk via oneshot and maintain their correct...
Hello all, I've been indexing Infoblox DHCP and DNS queries for a couple of months now. Because of the amount of logs we're getting, we syslog all of our data to a log collector, and forward it on to...
View ArticleHow to configure props.conf and transforms.conf to ignore the first two lines...
We have following log file which we need to import in Splunk:...
View ArticleWhat is the best way to handle json data with nested arrays?
I am having some trouble working with JSON events. I use Splunk Enterprise 6.4.1. I'm using KV_MODE=json in my props.conf file. For regular fields and top level arrays, it's working great. However I...
View ArticleIs it possible to prevent indexing part of a line in a log file?
I know it is possible to skip lines in an input, however, I have the case where I want to skip part of a line. For example, I have an inputs.conf stanza like the following:...
View ArticleExtract Per Event Headers
I have a funny little log file. This logs look like this: foobar chock run with flags '-v' at Thu Aug 1 11:05:31 GMT 2015 -- --------------------------------------------------- foobar: chdir . foobar:...
View ArticleHow to use LINE_BREAKER from one source with multiple sourcetypes?
Hello, I'd like to use LINE_BREAKER and SHOULD_LINEMERGE for logs coming from a unique source but the logs are related to multiple devices. **inputs.conf** [tcp://34065] connection_host = none host =...
View ArticleExtracting multi-level host name
I would like to extract both directory and subdirectory information while importing data. So basically the directory structure is like this...
View ArticleNeed help with linebreaker for array of json objects
I am indexing json files. Each file contains an array of around 1,000 json objects (with nested arrays/objects). I need to extract each object as a single event. (See sample json source and props.conf...
View ArticleHow to blackhole unwanted server logs by configuring props.conf and...
Our main syslog server just forwards everything to Splunk. We have exclusions in syslog for certain applications but we would still like to clean out anything not vital to Splunk. I've attempted to set...
View ArticleHow to change the the truncating limit in the props.conf file for a scripted...
**I have in the input.conf as an example a scripted input on the server where the Splunk Universal Forwarder is installed** [script://.\bin\LongRunningQueriesRpt.path] interval=*/1 * * * 1-5 disabled =...
View ArticleHow do I rename a DNS named host to an IP address host?
I have a remote host that is sending logs via a universal forwarder. The logs are arriving with a hostname of "prodsde01" How can I change this to an IP address instead (i.e 10.201.1.10) I tried the...
View ArticleHow do I extract two different variations of a timestamp from the same...
For one of our syslog devices, some events that come through only contain the syslog datetime format, while there are others that contain the syslog datetime AND a "timestamp=" field at the end of the...
View ArticleReceiving "Failed to parse timestamp" errors. How to configure props.conf...
I am seeing many `Failed to parse timestamp. Defaulting to timestamp of previous event`. I have configured the props.conf using the `TIME_PREFIX = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} or TIME_FORMAT =...
View ArticleWhy are events being indexed appearing to be timestamped in the future?
I have events that are being indexed and appearing to be timestamped in the future. The raw events contain a timezone: 2016 Sep 27 14:11:00:999 GMT +1 DOUGTEST2.C2020Tmp-Process_Archive user [BW-User]...
View Article