How to remove an invalid line breaker from syslog before indexing?
Hi everyone, I've got an application sending data to splunk, which are split over multiple lines instead to keep everything on the same line. When I redirect my data to a file instead of splunk, I can...
View ArticleHow can I route data to specific indexers using a heavy forwarder?
I have a universal forwarder that sends 2 source types to heavy forwarder successfully. i need this heavy forwarder to route the received source types between 2 indexers. My configurations on heavy...
View ArticleWhy am I receiving lookup error "could not find the specified lookup fields...
![alt text][1] [1]: /storage/temp/161207-error.png Hello Splunkers, I am facing this strange error since the time i have installed Palo Alto Networks App for Splunk. This error is coming to every...
View ArticleProblem: Unable to send cooked data to two different Indexer ports
Hello Experts, I have an issue where I am unable to send cooked data to two different Indexer ports. My flow of traffic is UF > HF > IDX UF IP: a.a.a.a HF IP: y.y.y.y IDX IP: x.x.x.x 1) Universal...
View ArticleIssue with JSON event break regex
I've been asked to ingest some JSON logs for auditing purposes but I can't get the event breaking right. I'm pretty good with regex but this one is stumping me. The regex shouldn't need to be...
View ArticleTime stamp stanza
I want to make sure i understand this, i have logs that splunk can not find the time stamp on. and some are missing. for the logs that have the time in them i would juse use this in props.conf on the...
View ArticleHow to create a line break in an event log?
Hello guys, I need to create a line break in an event log, I have the [ \n ] in log. I try this : | rex mode=sed field=_raw "s/[\\n]/\n/g" This log: 6.6.6.6 ASM: "Non-arowser Client","2014-07-15...
View ArticleUnable to change TZ in props.conf for host?
I am able to modify the TZ attribute as follows in $SPLUNKHOME$/etc/system/local/props.conf [source::mysource] TZ=US/Pacific However, I am unable to replicate the same functionality via the host...
View ArticleSetting up props.conf at the heavy forwarders
I have an app to which the basic inputs.conf were set and the app was forwarding logs to the indexers without any issues. Then the format of the logs changed due to which i had to write a props.conf....
View ArticleTime stamp field using transforms.conf
HI All, Am have CSV which is semicolon as delimiter and am using Props and transpose to extract the fields. But am assigning fields name in the transpose and am not able to set _time field . Please let...
View ArticleHow to edit props.conf in order to have JSON log events listed in...
We have the following logs coming into Splunk: {"log":"\u0009at org.apache.lucene.store.Directory.openChecksumInput(Directory.java:113)\n","stream":"stdout","time":"2016-10-07T10:10:38.971217557Z"}...
View Articlehow to sedcmd??
In the form of logs is as follows SNMPv2-SMI::mib-"2.2.1.2.1" = "lo" SNMPv2-SMI::mib-"2.2.1.2.2" = "eth0" SNMPv2-SMI::mib-"2.2.1.2.3" = "eth1" ~~~~~ props.conf setting is as follows. [snmp_test]...
View ArticleHow to configure our expected timestamp format in props.conf?
Hi, We need to format our time stamps using props.conf, since our events do not have date/month/year to our logs, it has only `%H:%M:%S`. we need to append `%Y/%M/%D` to every event. This is for our...
View ArticleWhy does field extraction work in dev environment but not in prod environment?
I ingested a CSV into our dev environment, had it create the props stanza with the field extractions I wanted, and copied this over into our prod props.conf. This works as expected in dev; I can...
View ArticleHow do I configure Splunk to recognize my custom delimiter for proper field...
I currently have a log statement which has a custom delimiter: `{|}` Where an example log statement would look like: Oct-13 12:17:13 | INFO| [Logger:152] Message{|}Activity1{|}userDeletedProfile{|}John...
View ArticleHTTP Event Collector: Is it possible to send multiple events in one API call?
In HTTP Event Collector, is it possible to send multiple events in one API call? I tried setting line break properties in props.conf, but unfortunately that did not help. Here's what my props.conf look...
View ArticleExtracting Timestamps from JSON logs in Splunk 6.5.0
I have a JSON formatted event and I am trying to get props.conf to recognize the timestamp. The timestamp occurs at the beginning of the event with "ts": (see example event below) I have in my custom...
View ArticleAfter deploying KV_MODE = auto_escaped in props.conf to my search head...
I am trying to set up KV_MODE = auto_escaped for a particular source. The stanza looks like the following: [source:///var/log/test.log] KV_MODE = auto_escaped I used the test data directly from the...
View ArticleSEDCMD for MAC address that are missing leading zeroes between colons
So, some companies in their infinite wisdom strip leading zeroes from the bytes WITHIN MAC addresses, so we end up with logs that make it a little hard to search consistently. I suppose a little mental...
View ArticleWhy is CSV Timestamp recognition not working with my current props.conf for...
I have 3 environments: Laptop - Splunk 6.5.0 Test - Splunk 6.4.3 Prod - Splunk 6.3.2 In the first two environments, I am able to pull in a csv nightly and grab the timestamp from the first...
View Article