How to ignore the timestamp or any time-value provided in the logs and use...
I am indexing a log file which don't have timestamp but have few events have completion time(how much time it took to complete kindof timedifference). Splunk is taking this time as timestamp which...
View ArticleHow can I search Search-time field's value extracted through configurattion...
I tried to search value of fields extracted REPORT setting like below. My intention is to extract initial letter of foo field's value. --------------------------------------------------------...
View ArticleHow to ignore the timestamp or any time value provided in the logs and use...
I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much time it took to complete kind of time difference). Splunk is taking this time as...
View ArticleWhy am I unable to search for a search-time extracted field configured in...
I tried to search value of fields extracted by the REPORT setting like below. My intention is to extract the initial letter of foo field's value....
View ArticleHow to configure props.conf and transforms.conf to get the same field...
I have events coming from multiple sourcetypes that need the same extractions to get information. As an example the props.conf file: [linux_audit] # # Transforms #...
View ArticleHow to mask emails and credit card numbers in logs?
According to the link below, it looks possible to mask data in splunk. https://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Anonymizedata I want to mask the email and credit card number for the...
View ArticleWhere should I apply props and transforms: search heads or indexers?
I thought I had this figured out but am not so certain now. I need to apply a props and transform to some of our logs to make them readable since they are in a custom format. Should this be sent to the...
View ArticleCan sourcetype control be applied in props.conf?
Hopefully a simple question. I can see that in props.conf you can use source, `[source::.../dads_logs/*.log]`, to control if it's applied but can you use `sourcetype:...nameofsourcetype`? Thanks
View ArticleHow to remove single quotes from key-value pairS in order to apply SEDCMD?
I have between 2 and 25 fields that I need to apply the SED cmd to. The fields are coming in in KV pairs with the Value wrapped in single quotes which make it hard for analysis on those events. Since I...
View ArticleWhy is the default taking precedence over the sourcetype I've set in...
I have set the sourcetype for access logs in inputs.conf + props.conf before, but on one host it is not recognizing the explicit sourcetype I set on the local host (running the Splunk forwarder)....
View ArticleWhy is SHOULD_LINEMERGE not allowing me to set to "false"?
I'm using the Universal Forwarder, and I have a requirement to log events under a specific Source Type using specified line breaks, while at the same time sending some events to the nullQueue. From...
View ArticleHow to construct a TIME_FORMAT that will extract the date and military time...
I need to get a proper timestamp from raw data that looks like this: Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 0150 I think what I need is the date and the 4 digits at the end. I am...
View ArticleProps.conf and transforms.conf files are not working
Hello All, I have written the below props.conf and transforms.conf files, but am not able to filter my data, could you any one please let me know where am wrong. my sample input file contains...
View ArticleThe edits I made to props.conf and transforms.conf are not working to filter...
Hello All, I have written the below props.conf and transforms.conf files, but am not able to filter my data, could anyone please let me know where am wrong? my sample input file contains...
View ArticleHow to edit props.conf to line break modsecurity events?
Hey guys. I want modsecurity events in Splunk, but can't make right config. I have events like this: --d021db15-A-- [22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507...
View ArticleWhy are all events in one record and I am unable to extract fields?
We have CSV files dropping in the Windows folder and the CSV file contains users data but it was not parsing correctly. it was showing all the events in one record which I am not able to extract the...
View ArticleWindows セキュリティイベントログのメッセージフィールドが1行目しか表示されない
Windows OSにインストールされた Universal Forwarder から、Linux OSにインストールされた Indexer へ Windows セキュリティ・イベントログを転送しました。インデックスされたデータを検索したところ、メッセージフィールドの内容が1行目しか表示されません。全ての内容をインデックスするためにはどうしたら良いのでしょうか。
View ArticleIs there a way to break lines in props.conf on search head?
I have the ability to configure a search head but not the indexers. I am wondering if I can break multi-line netstat events into multiple events on the search head using props.conf. I realize that I...
View ArticleHow to configure character set encoding?
When you have Char: auto in props.conf "If you want to use a character set encoding that Splunk software does not recognize, train it to recognize the character set by adding a sample file to the...
View ArticleSource Transform Replace '/' with '_'
Hi, I created props and transforms files to put source value of file in raw event. I am sending these event to third party app. I am using heavy forwarder. But ı need to replace...
View Article
