How to build a regular expression in order to mask password text in props.conf?
I have the following string in the events and I would like to mask the password text using sedcmd. Content={"Login":"stuff@stuff.com","Password":"thingsandstuff"} Does anyone have any thoughts how to...
View ArticleHow to configure line_merge in props.conf so that lines will not be merged...
Hello For a particular sourcetype I am trying to to configure props.conf so that the lines should not be merged. I have created /opt/splunkhome/apps/custom_addon/local/props.conf and set it to this:...
View ArticleWhat is the procedure to monitor changes to file content?
Hi, What is the procedure to monitor changes to file content? As per knowledge we can add some parameters to props.conf file. Can anyone please provide step by step procedure to achieve this?
View ArticleTAB delimited extraction strips leading backslash
One of my data sources related to file-system data from a third-party product. The data is tab-delimited *without* field names. Extraction is achieved via **transforms.conf** as follows (field list...
View ArticleHow to add new fields in indexing time depending on condition
Hello All, Is this possible in Splunk where we can add new fields and there value will depends on condition? in `transforms.conf` file? or in `fields.conf` eg: while indexing we have field called...
View ArticleHow to split data based on field value into two different indexes?
Hi , I would like to route the data into different indexes based on a field value. Lets say I have a field **F5_TYPE** with two values 'INTERNAL' and "EXTERNAL' . Here, I want to route data with...
View ArticleHow to edit my props.conf so that each line of log file is one event?
I have a log file which is being sent to Splunk. When I search, I see 257 lines per 1 event and remaining lines as separate events. I tried below, however it is not working. cat ~/local/props.conf...
View ArticleHow to fix Docker container JSON logs from not being formatted correctly?
We are using the latest ta for docker logs, ta-dockerlogs_fileinput. When we look at the data within Splunk, each line of the message is showing up as a different messages. I have attached the sample...
View ArticleHow to write props.conf to extract an epoch time as timestamp from events?
I have a epoch time in my events: timestamp=1478787869121. How to write props.conf to extract this timestamp?
View ArticleSplunk Add-on for Cisco WSA: How to extract the user from Cisco WSA logs?
Hi From the Cisco WSA logs, I get the user information as `user=ABCDEFEGH\kiran@ka.ABCDEFEGH.com`. What should I use in props.conf to extract the user by removing ABCDEFEGH\ and @ka.ABCDEFEGH.com at...
View ArticleOverwritten sourcetypes not searchable
Hi fellow splunkers, I ran into a problem regarding "Overwriting of an existing sourcetype via props and transforms". Let me tell you more about my current scenario: I have to connect some...
View ArticleIs there a logging or debug tool to identify all props and transforms that...
Hi All, This has happened to myself and other colleagues on more than one occasion. We go to resolve some issues with a customers Splunk installation and find that a field extraction somewhere in their...
View ArticleHow to edit my props.conf to linebreak a Simple XML log into multiple events?
Hi, I have been trying to implement a stanza to break a long line of XML into multiple events, but it is not functioning as expected. As you can see, it is Simple XML with every "event" ending with the...
View ArticlePalo Alto Networks App & Add-on for Splunk: Why can I only see extracted...
We have a distributed deployment with both indexer and search head clusters. Splunk App for Palo Alto is installed on the search heads while the TA-paloalto is installed on the indexers. The TA is...
View ArticleIn props.conf, why is BREAK_ONLY_BEFORE_DATE not properly line breaking my...
My props.conf is like: BREAK_ONLY_BEFORE_DATE = true TIME_PREFIX = GMT TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N MAX_DAYS_HENCE = 5 MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = true and my events is like...
View ArticleHow to resolve a "DateParserVerbose - Failed to parse timestamp" error with...
I have an Ironport log file that looks like the following: Thu Nov 17 16:11:20 2016 Info: MID 123456789 ICID 123456789 To: Rejected by Receiving Control Thu Nov 17 16:11:20 2016 Info: MID 123456789...
View ArticleHow to edit props.conf and transforms.conf to extract fields and values that...
I need a sample code for field extraction during index time in props.conf and transforms.conf for the below use case. i need to extract the fields and values for the field which starts with dv_. please...
View ArticleWill the configurations in props.conf and transforms.conf result in my...
I've had a hard time finding an answer to this, so hoping out there in Splunk-land can assist resolving this once and for all.. If i have the following config in props.conf [syslog] TRANSFORMS-regular...
View ArticleHow to edit props.conf to line break a single line event into multiple lines?
I have a single line event as shown. I have to break it to multiple lines starting at `{IBP_LKL` . May I know what setting I should use in props.conf? {IBP_LKL_MKL=avfg , gfdjgkjfsidhfkhs;...
View ArticleExcluding header from CSV to be indexed
Hi, I have a CSV file with header that is monitored by Splunk. Rows are correctly read but the headers are also include as a event row. I just want to have the header as extraction fields (which...
View Article