How can I define props.conf with respective source types?
i have text file with some data below. how can i define my props.conf file with respective sourcetypes? **file 1 of sourcetype=s1** Batch Counter Cache Name CacheSize MemoryBytes MemoryMB Avg Object...
View ArticleHow to edit my configuration to line break events at every "= ID:" in my...
Some of the events are not being broken down. It works most of the time, but will not break lines couple of times, each time the log gets ingested. Moreover, the config works fine in my test...
View ArticleHow do I configure line breaking in props.conf for my sample log file?
Would like the events to be split after `) --[End]--------------------$` (0x03000000:NameValue)urn:hl7-org:v2xml:Remainder = NULL$ )$ )$ )$ )$ ) --[End]--------------------$...
View ArticleHow to configure Splunk to properly parse logs that contain one or more...
Hello Splunk community, Currently I am doing research as an intern at a government agency if their Windows services written in C# can have their logging end up in a Splunk environment. All of these...
View ArticleWhat is the best way to route syslog data from UDP port 5140 to several...
I'm trying to route syslog data coming in on UDP port 5140 to several different sourcetype/index combinations. Here is a snippet of each file. Can anyone give me an idea of where the problem might be?...
View ArticleI have started the conditional logging on Splunk but still i'm getting the logs?
I have configured transforms.conf and props.conf on below path ###/opt/splunk/etc/apps/search/local ###transforms.conf [setnull] REGEX = INFO DEST_KEY = queue FORMAT = nullQueue ###props.conf...
View ArticleHow to edit my time_prefix and time format in props.conf?
**Oct 20, 2016 11:49:56 PM UTC** here is my time format and every event starts with with time. in my props.conf i had TIME_PREFIX=TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 28 TIME_FORMAT=%m/%d/%Y...
View ArticleWhat configuration changes are needed to prevent a field with over 162706...
Hi, We are using Splunk 6.5.0. After setting up a custom sourcetype csv_sql using the scripted input stanza which calls a powershell script to connect to sql server and output data in a comma delimited...
View ArticleWhether the timezone configuration in props.conf is static or dynamic? Do we...
We have a standardized log format while onboarding log files into splunk. The timestamp should come with server date/time along with UTC offset. I now want to onboard the log files which doesn't have...
View ArticleHow to edit my datetime.xml to extract the date from a filename to use as the...
I have read multiple blogs and answers and couldn't find anything that helps. The filename will be something like this`blah_blah_blah....161030.txt` I have checked my regex on regex101 and it works...
View ArticleHow to edit my props.conf for proper event line breaking based on my sample...
Ok, I give. I can't seem to figure out why this is failing... This is the log: (Suitably neutered) 2016-11-03 13:34:00,654 [10] INFO XXXXXXX_YYY.XXXXXXX - Script Name Input: 2016-11-03 13:34:00,716...
View ArticleWhich of these field extractions defined in props.conf will Splunk consider...
I'd extracted 2 fields in props.conf as below: [abc_xml_v1] EXTRACT-abc_rac_cd_instance = ^/(cs|app)/abc/.*/adump/(?[^o][^_]+) in source EXTRACT-abc_single_cd_instance =...
View ArticleWhy are search results in Splunk Web getting truncated and not parsed...
I am seeing an issue with results being truncated and not parsed correctly for some events when I do a search via Splunk Web. However, if I export the results and look at the event, the entire log is...
View ArticleWhy is index time json field extraction not working for events from a .gz...
We are trying to extract fields during indexing time for JSON format events with .gz file, however, it is not extracting the fields and also not extracting the event time from the json field. Can you...
View ArticleHow do I get splunk to use the timestamp of my data
Hi, I have events that look like this 192.168.10.124 - - [02/Nov/2016:08:59:59 +0900] "GET /ICHealthCheck/serverstatus HTTP/1.1" 200 2 "-" "a10hm/1.0" And I need splunk to use 02/Nov/2016:08:59:59...
View ArticleHow to prevent duplicate events on an XML file that is updated all day?
Our file lands on a Windows server. We are using a Universal Forwarder. The file structure is XML starting with a tag, and then tags update events all day at various intervals. We are getting many...
View ArticleHow to edit my props.conf to make sure CSV file data gets indexed?
Hi, I am using below props file for CSV but data is not getting indexed or sent into Splunk. Need help in updating props [data_csv] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv HEADER_MODE = firstline...
View ArticleHow to edit my props.conf to take timestamp from an updated field?
Hey everyone. I read all nearest posts about timestamp and still can't make it work. So, i have events like this: ....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one,...
View ArticleHow to update props.conf to extract timestamp from my sample data?
Please help me with props.conf file i have sample data below i want to extract time stamp from the below sample data. BREAK_ONLY_BEFORE= TIME_PREFIX= TIME_FORMAT= 10.123.123.12 - -...
View ArticleHow to edit props.conf so Splunk will recognize a month's time format when...
Seeking help with TIME_FORMAT in props.conf. I'm trying to get Splunk to recognize a time format in the form of "JAN 3 2016". Seems simple enough, but none of the strptime fields address the month...
View Article