How to edit props.conf to exclude headers in CSV files from getting indexed?
Hi, I have a CSV file with header that is monitored by Splunk. Rows are correctly read, but the headers are also included as an event row. I just want to have the header extracted as the field names...
View ArticleHow to only index events that contain specific fields?
Hello, all. I know that my question's not a unique, but I want to ask it :) I have a netflow text log on a server with a universal forwarder installed. I don't want to index this entire log. I only...
View ArticleHow to configure props.conf to index each log file in my directory as a...
I have hundreds of logs in my directory. I need the entire data from each log to be represented as one event. May I know what settings I should use in props.conf to represent each log file as an single...
View ArticleSplunk App for Windows Infrastructure: Why does Failed Logons by IP Address...
I found that the "Failed Logons by IP Address" chart in Splunk App for Windows Infrastructure never shows any data. Though "Failed Logons over Time" chart can show there are failed logins. I tried to...
View ArticleI have a JSON file with two timestamps. How do I edit props.conf to extract...
I have a JSON file with two timestamps. I would like to extract the second timestamp (highlighted in bold). I have tried props.conf configuration file in indexer as given below props.conf KV_MODE=none...
View ArticleWhy is my current file monitor configuration always missing the first line of...
I've got a file monitor set up for a headerless CSV file which I generate on a periodic basis. I've noticed that the monitor is always ignoring the first line of the file. I am not using...
View ArticleHow to correct props.conf to resolve a timestamp mismatch?
For the log events which look like :- **PID-27654-(2016-06-12-08:00:02.677) [INFO] : Error Publisher Server** I have configured the props.conf as follows :- [granite_server_forever] SHOULD_LINEMERGE =...
View ArticleWhy is my field transform using DELIMS not working?
Hello I have a field transform setup that doesn't seem to be working: **transforms.conf** [coldfusionapplication] DELIMS = "," FIELDS =...
View ArticleHow to edit props.conf to index tab-separated values (TSV) file with embedded...
In Splunk Enterprise 6.5, I'm attempting to index a tab-separated value (TSV) log that also contains headers within, however I'm having difficulty with the props.cong in getting the headers. In the...
View ArticleHow to edit props.conf to resolve "Could not use strptime to parse timestamp"...
Hello i have a time stamp as **[17/Oct/2016:16:09:51 +0000]** and my props.conf looks like: TIME_PREFIX = \[ MAX_TIMESTAMP_LOOKAHEAD = 26 TIME_FORMAT = %Y/%b/%d:%H:%M:%S +0000 when i do this, i am...
View ArticleRegex '' in XML tag
I have a log that contains some XML that I'm extracting into fields and then removing all empty tags at index time in props.conf. I'm having trouble with the `<` and `>` characters that can...
View ArticleHow to edit my regular expression to replace '' in XML tags?
I have a log that contains some XML that I'm extracting into fields and then removing all empty tags at index time in props.conf. I'm having trouble with the `<` and `>` characters that can...
View ArticleWhy are my events not splitting correctly by timestamp?
My props.conf has: TZ=UTC TRUNCATE = 0 BREAK_ONLY_BEFORE_DATE = true TIME_FORMAT = %d%b%Y_%H:%M:%S.%3N MAX_DAYS_HENCE = 5 MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = true My events are like this:...
View ArticleHow to edit my props.conf to keep multiline events containing XML as one event?
Hi, I’m trying to create a new source type for the first time. I’ve been at it all morning and I’m pretty sure I must be missing something fundamental. The data I’m importing is quite a messy log file....
View ArticleWhy is Universal Forwarder unable to process props.conf configuration for...
I have a customer that wants to index psv files with headers. If I omit the props.conf file on the Universal Forwarder (UF), the entire psv file gets indexed as one event without any parsing. I have a...
View ArticleHow to extract fields from multiline events at search time using props.conf?
I am able to extract some fields, but not all from sample data as per below for 2 events. Please note that variable, type, and value occurs multiple times in an event and the number of recurrences can...
View ArticleHow to route to an Index based on SourceType AND Host combination in...
I have a setup as Universal Forwarder (UF) - Heavy Forwarder (HF) - Indexer - Search Head (SH). Where multiple UF are sending data to single HF which in turn sends data to single Indexer. I have below...
View ArticleHow edit props.conf to replace characters in a log?
Log: Dec 5 15:25:48 host : app='smtp', name='Email Status', policy_name='', dvc_host='', virtual_host='host', event_id=8888, reason_id=11, direction=2, src_ip='xx.xx.xx.xxx', src_host='',...
View ArticleHow to alter data using SEDCMD in props.conf?
We have the DNS debug logs coming onto the indexer. Now each events will have an alpha-numeric pattern for 'domain name' in below fashion **(1)abc(2)def(3)ghif(4)** Now i want the **highlighted** data...
View ArticleHow does LINE_BREAKER_LOOKBEHIND in props.conf work?
May I know how exactly `LINE_BREAKER_LOOKBEHIND` works? I am little bit confused by the explanation given in Splunk documentation. Any example would be great.
View Article