How to configure extraction for multiple timestamps from different message...
Hi. I have two message formats falling into the same index. One of these message formats only contains one timestamp without milliseconds, but the second format contains a second timestamp **with**...
View ArticleHow to prevent linux_message_syslog input from overriding the FQDN of the...
All, I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the...
View ArticleHow to edit props.conf to use the "last modified" time of the file as the...
I have configured monitoring for a set of files. I have configured the props.conf to use the 'last modified' time of the file as the timestamp for each event. However, the events are being indexed for...
View ArticleSplunk Add-on for Cisco ESA: Add-on improper extracts Message-ID header
Hi, I just noticed that the Splunk Add-on for Cisco ESA (tested with 1.2.2) improperly extracts the Message-ID header. Consider the following example: Message-ID: This gets extracted as message_id =...
View ArticleNeed help with what should be a simple precedence issue regarding props.conf...
Simple scenario app_a/default/props.conf 25_app_a/default/props.conf The 25_app_a is an exact copy aside from the change noted below. both contain field aliases for the same sourcetype. the...
View ArticleWhy does an extracted timestamp field show as _raw?
I've setup a field extractions with K=V; format and every field is working correctly except for the first field, "timestamp" Here's the format I'm starting with:...
View ArticleHow to configure props.conf and transforms.conf to process the timestamps in...
Have data that Splunk is struggling with and needs props.conf and transforms.conf. The year/month/date followed by time hours minutes seconds are in the 3rd and 4th fields for each event:...
View ArticleHow to redirect some SNMP data to a new index?
We have SNMP data being sent from a heavy forwarder to our indexers into an index that we'll call cacti. We want SOME of the data (specifically traffic data) to go to another index. My inputs.conf on...
View ArticleWhy is props.conf in my deployment-app not getting picked up?
I have a standalone Splunk environment - I have universal forwarders and an indexer/Deployment server which acts as the Search head also. I have a deployment-app under...
View ArticleAre my props.conf and transforms.conf correct in setting metadata from TCP...
So... I am attempting to setup a TCP input, which will automatically set metadata, from the event. The _Raw looks like:...
View ArticleReducing Windows Security Events flow by filtering in parsing queue
In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose: [setnull] REGEX = . DEST_KEY =...
View ArticleWhy is my field extraction not consistent across all events?
I want to extract a field which is uuid format and name it `instanceid`. props.conf settings EXTRACT-fields_5 = \[[i]nstance:\s+(?P[0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12}) For...
View ArticleHow do you merge an event to a single line keeping the data together?
I have a process that writes to a log file in 8 KB chunks when the buffer becomes full. What will happen is once the buffer is full, it will write to the log. After it writes, the last line will be...
View ArticleHow to ignore some events at index time?
Hello, I have to index only events that contains the string "$$log$$". I try with a transforms like [ignore] REGEX = < a regex to match event not containing "$$log$$" > DEST_KEY = queue FORMAT =...
View ArticleHow to split my input file into multiple events?
Hi My input file /tmp/log.txt looks like this. 192.168.22.5 93.x.x.x 456 2 192.168.22.10 183.x.x.x 63 1 src_ip dest_ip byte packet When I add this file as an input file in Splunk, I get all data as one...
View ArticleWhy is line breaking not occurring as specified in props.conf?
Hi Guys I have an issue with line breaking. I used data preview in Splunk Web and it breaks line as what I wanted. But it doesn't do the trick when it deploys to props.conf in heavy forwarder. The...
View ArticleRenaming index with transforms.conf and props.conf is failing
Hello. I really hope someone on here will be able to help me out. Long story short I am having some difficulties renaming an index on some cooked data that is hitting my indexer with `transforms.conf`...
View Article| extract reload=T command not working through searchmanager in splunk
Hello All, I have dashboard where am calling reload of props.conf file through "| extract reload=T " command, but some how the props.conf is not loading ( means its not taking updated calculated...
View ArticleWhy is renaming an index via transforms.conf and props.conf failing?
Hello. I really hope someone on here will be able to help me out. Long story short: I am having some difficulties renaming an index on some cooked data that is hitting my indexer with `transforms.conf`...
View ArticleWhy does the "| extract reload=T" command not work through searchmanager?
Hello All, I have dashboard where am calling reload of props.conf file through `| extract reload=T ` command, but some how the props.conf is not loading (means it's not taking updated calculated...
View Article