How to execute TRANSFORMS by source name in props.conf?
Hi, Given the below: inputs.conf [monitor://\\MyServer\MyFolder] disabled = false host = MyServer index = MyIndex sourcetype = MySourceType ignoreOlderThan = 2d recursive = false whitelist =...
View ArticleHow do I configure the timezone setting in props.conf on a single Splunk...
Hi Guys, I have just one Splunk server no forwarder. I have referred to many documents that say we must set the timezone on the forwarder in props.conf, but I have no more machines. So, I have modified...
View ArticleHow do I configure props.conf using SEDCMD and REGEX to filter out certain...
My head hurts from banging it on Google. My Heavy Forwarder is receiving events that contain a significant about of content that we don't want or need. These events are standard MS message tracking log...
View ArticleMy server logs data in Korean. How do I change the language to English in...
Hi, Currently i have a server logging Windows Event Log data in Korean. I need to change that Korean to English when i see it in Splunk indexers. I added the Korean UTF code to the props.conf but it's...
View Articlehow to parse csv-like data with Multi-character delimiter ( props.conf ) ?
Hi Guys, i meeting a problem when i want to parse a csv-like data as following, field1_name#XDSP#C#S#field2_name#XDSP#C#S#field3_name#XDSP#C#S#field4_name 1#XDSP#C#S#2#XDSP#C#S#3#XDSP#C#S#4...
View ArticleHow to edit props.conf to override Splunk truncating JSON data?
Hi Guys, So I figured out that my Splunk instance is truncating my JSON data. That's not good and I'd like to remedy this. In reading, it looks as though I need to override my props.conf file by using...
View ArticleHow to configure props.conf to parse CSV-like data with delimiters that...
Hi Guys, I have a problem when I want to parse CSV-like data as the following, field1_name#XDSP#C#S#field2_name#XDSP#C#S#field3_name#XDSP#C#S#field4_name 1#XDSP#C#S#2#XDSP#C#S#3#XDSP#C#S#4...
View ArticleIs the configuration for my timestamp correct?
I have a problem with the right extraction of timestamp in a log file. The string example of my log : 161206 152835 LNX64 3 PWX-36145 ORAD Info Mbr 2: + Low SCN 6120947915182. Low SCN Time 12/06/2016...
View ArticleHow to filter out local firewall events I don’t want Splunk to index?
A lot of the Windows Security auditing events we see in Splunk come from the local firewall that we're not interested in. I know there's a way to configure Splunk to filter out events based on the...
View ArticleHow to edit props.conf to retrieve time from my data?
i have a data like this: capturedTime = "12/6/16, 9:08 PM"; indymeDepartmentNumber = 250; lastCacheTime = "12/6/16, 12:00 AM"; storeNumber = 1520; vendorID = "4426E4B9-1658-438C-9890-6A01DB164189";...
View ArticleWhat is the syntax for |makemv delim="|" when writing it in the props.conf file?
This works in the search bar `|makemv delim="|"`, but not when I put that in the props.conf file.
View ArticleHow do I route data based on the Index field
Assuming I have a forwarder with inputs.conf: [monitor:///var/log/notcritical] index=datacritical [monitor:///var/log/critical] index=datanoncritical How can I route the events from the two files into...
View ArticleSplunk Add-on for Cisco ASA: How to edit my configurations to filter events I...
This seems to be a common and easy problem to resolve, but I can't seem to get to the right answer. Recently I installed the "Splunk Add-on for Cisco ASA" in my environment's indexers and search heads....
View ArticleHow does the thruput metric handle events dropped in props/transforms?
I'm trying to generate some report about the volume of data from a given indexer, per sourcetype. Here's what my search looks like - it makes a nice area chart: index="_internal" source="*metrics.log"...
View ArticleHow to troubleshoot why TIME_FORMAT is not being applied events at index time?
I've looked through many posts about TIME_FORMAT being ignored. None seemed to quite apply to me. This is a single instance (so the issue of forwarder/indexer doesn't apply). Here's the issue: This is...
View ArticleHow to force Splunk use epoch time in the log file as index time
I have following logs from a customer device: 0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,sev1 0080101c4114,10.33.1.3,1481421595,host2.labtest.com,error-message2,sev2 props.conf...
View ArticleExtracting multiple values from a multivalue field: using rex vs. props.conf...
This is a follow-up to [my previous question][1]. [1]: https://answers.splunk.com/answers/481518/how-to-extract-a-multivalue-index-time-field-from.html In there, I managed to extract a multivalue...
View ArticleHow to edit my TIME_PREFIX in props.conf to properly extract the timestamp...
-health_checkin_date: 2016-10-30T09:45:28.824Z That is the line from a JSON event being sent into my Splunk instance via TCP syslog. It's being put into an index in an app I made, so I added the...
View ArticleIs it possible to add and correct fields for past events?
Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, before we had all set up correctly. We now have the problem, that the first events we...
View ArticleHow to best normalize fields for Splunk Common Information Model (CIM)?
Hello folks, I was wondering if you could help me with a dilemma about PERFORMANCE. I'm normalizing fields in order to use them with Splunk Common Information Model (CIM) and I don't know if using the...
View Article
