Handling events with the same timestamp
I am extracting logs from a file which contain entries with two timestamp log entries: 1. eventTimestamp 2. timestamp The later is included by my logging framework. I occasionally write events where...
View ArticleHow to define timestamp in props.conf for thes json event
Hi, I have a sample json file where I have to index the time. I created the stanza at props.conf....
View ArticleMulti value field extraction props.conf transforms.conf
Hello fellow Splunker, I have a question about my props.conf and transforms.conf. I want to extract a multi valued field for the messages in which are displayed in the following .txt file....
View ArticleCisco ASA, PIX and FWSM logs to seperate indexes?
We're successfully pulling in logs from our Cisco ASA devices via syslog and have previously hard coded them to be sourcetype cisco:asa through the inputs.conf file using a monitor stanza to track the...
View ArticleGerman umaulat Character is not getting recognized by Splunk Universal Forwarder
My PowerShell script results with "german umaulat" character into data. In our local lab Splunk Universal Forwarder runs this script at some interval and forwards data to Splunk Enterprise(SearchHead)...
View ArticleHow to override props.conf to change event size limit?
I was trying to override props.conf to change event size limit. These are the steps I have tried so far: - Add a blank props.conf file in $SPLUNK_HOME/etc/system/local - Edit props.conf with three...
View ArticleIs there any way to execute SEDCMD after transforms are applied?
Hi, As far as I understand, SEDCMD is executed before TRANSFORMS. Is there any way to make it execute after? I'm overriding some metadata fields based on the content of a event. Current (simplified)...
View ArticleTime stamp format in source type.
I have selected the Time stamp format `%b %d %H:%M:%S CET %Y` for one of the source-types. I would like to change it in such a way, so that it can handle both `CET` and `CEST`.
View ArticleHow to edit my configurations so that my Kubernetes host log will be...
Hi , In my kubernetes host generating logfile for the docker container, the logs are coming to Splunk in the following notation. { [-] log: 2017-01-06 19:37:54,851 - application-library-rest-api -...
View ArticleHow to edit my configurations to get search time extractions to apply?
I've been working through trying to get some search time extractions to apply using prop.conf and transforms.conf with REPORTS. The source is parsed on a Heavy Forwarder and I have verified the index...
View ArticleReceiving JSON files from Azure containing multiple events in each file. How...
I am pulling in JSON files into Splunk from Microsoft Azure. Each JSON files contains multiple events and time stamps. Below is an example of a JSON file that is being pulled in. When I look into...
View ArticleGrouping events . Improper line breaks
I want my logs to be indexed as follows :- EVENT-1 THIS IS SOME LINE New line 1 New line 2 New line 3 New line .. New line .. New line 21 EVENT-2 THIS IS SOME LINE New line 1 New line 2 New line 3 New...
View ArticleHow to edit my props.conf to properly group multiple lines in one event...
I want my logs to be indexed as follows: EVENT-1 THIS IS SOME LINE New line 1 New line 2 New line 3 New line .. New line .. New line 21 EVENT-2 THIS IS SOME LINE New line 1 New line 2 New line 3 New...
View ArticleIs it possible to update props.conf using input parameters taken from a...
Hello All, I have requirement where we want to take inputs from Super User and update the props.conf file. What approach I am using is to call the javascript where we can take the inputs parameter from...
View ArticleHow to configure props.conf to extract a field where the regular expression...
I'm having trouble finding a good solution for extracting a "pid" type value that exists in a uri structure but in different locations depending on the sourcetype. The transform performing the...
View ArticlePalo Alto Networks App and Add-on for Splunk: Changes in transforms.conf are...
Hi there, I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit. I have a transform that i put together in...
View ArticleSplunk Analytics for Hadoop: Why is Splunk not reading current active HDFS file?
We are running Splunk Analytics for Hadoop v6.5.1 with Hortonworks HDP v2.5. I can search and results are returned within the timerange **EXCEPT** for the current file. There are no results returned if...
View ArticleRBAC/permissions: Is it possible to restrict a role as only able to search an...
My customer has indexed data that inadvertently contains clear-text passwords in it. There are folks who need to be able to search that data, but aren't privileged enough to have access to see those...
View ArticleIs there a way to to further extractions from an existing search time...
Currently I'm doing an extraction on a log file like so: [AUDIT_PARSE] REGEX = \x5b[^\x5d]+\x5d\s+(\w+)\s+(?:\x7b([^\x7d]+)\x7d){0,1}\x2d\s+(.*) FORMAT = level::$1 log_source::$2 message::$3 One of the...
View ArticleHow to make a "rex" search a permanent field extraction in props.conf and...
Hi all, I have this expression to extract the character part of one string: ... | rex field=Equipment "^(?^[a-zA-Z]+)" The field `Equipment` has content like MC01. I need the character part, in this...
View Article