How to configure XML data parsing?
Hi, I've not tried to parse XML data in Splunk so I need a bit of hand holding.... I have the following data that repeats for different sensors. I'd like to be able to extract all the XML fields. I...
View ArticleHow to edit my props.conf to line break before each timestamp in my multi...
Hi, I have logs with multi line events and I am trying to line break before the timestamp, but before date there is `-}",`. Can you help me write the props.conf so the line breaks before the date?...
View ArticleLINE_BREAKERについて
以下のログを1行ごとではなく、8行ごとにイベントを区切りたいのですが、1行ごとに区切られてしまって上手くいきません。 LOGICAL UNIT NUMBER 3 Name: 1692_Robin UID: 60:06:01:60:31:F0:35:00:C3:C5:87:BA:45:59:E6:11 User Capacity (Blocks): 85899345920 User Capacity...
View ArticleWhy are my multi-line events getting broken in the middle of a string?
I have a log that contains multi-line events, some events contain java stack traces. Here is an example log: INFO 2017-02-06 17:57:36,026 com.loadbalancer.http.SynchHttpProducer [82] - Details of...
View ArticleWhy am I unable to set sourcetype in props.conf?
I have a syslog feed sending me firewall data from a linux system. It calls that sourcetype syslog, of course. I'm following the docs here:...
View ArticleHow to ignore some data from getting indexed?
Hi, I have this data that I'd like to index 000d6f0004349d51.1: Label: Front Door Manufacturer: SAMSUNG SDS Model: SHN-WDD510 Firmware version: 0x00000005 Hardware version: 1 User Properties:...
View ArticleLog pre processing
Hi guys, I defined my source type as follow (in props.conf): [anomalies] DATETIME_CONFIG = FIELD_NAMES = COL1, COL2, TIMESTAMP, COL4, COL5, KPI_ID ,COL7, COL8, COL9, COL10, COL11, COL12, COL13, ALARM...
View ArticleUpdating metadata sourcetype with data from events
Hello all... I have the following file: conn.log: 1486576311.492453 Cid7Nq2yj6VZ3FdO8b 10.28.7.27 39525 10.12.7.17 8080 tcp - - - - OTH T T 0 C 0 0 0 0 (empty) I need to carve the first element...
View ArticleSourcetype won't split on monitored file after changing transforms.conf and...
I am testing splitting sourcetypes for a one time indexed file on my test box. All time formats are parsed correctly when the log ingests. The file splits just fine into exactly as many events as...
View ArticleHow to edit props.conf to line break my multiline event based on timestamp?
Hi, We are trying to break the following lines based on date/timestamp but multiline event is not working as we expected, can some one please us on this issue. Sample log: [02.13.2017 15:35:47.920]...
View ArticleHow to configure props/transforms.conf for this data
Hi, I have this data and need to know what I need to configure for props/transforms.conf to parse the data correctly. Correctly= KV pair - field=Manufacturer value=Kwikset Thank you!...
View ArticleIs it possible to assign different timestamps based on log line contents...
I am sending "pan:traffic" logs from our Palo Alto 3050 firewall to Splunk. I want the "_time" fields to be the same value as the "start_time" field when the log line contains "start" and use the time...
View ArticleHow to parse a field that has flat log text and in JSON format?
Need some help here. I have the following event: Feb 14 14:40:01 10.64.61.104 {"protocol": {"protocol": "ip", "app": "http", "session_id": "CzbhnXwfgz1jyPljh", "event_status": "1", "headers_server":...
View ArticleWhy is my XML Log not parsing correctly?
I am attempting to import a ws_ftp log, but I am having issues parsing the log data. I can either get it to have no fields extracted or I end up with hundreds of entries for each event as it does not...
View ArticleHow to modify format of MS DNS server debug log events?
Hello, I would like to modify format of MS DNS debug logs in order to get rid of some unimportant strings within domain names. I was playing with SEDCMD stanza in props.conf but not with success. Log...
View ArticleTransforms not splitting sourcetypes
So I am trying to take a single monitored log, and split sourcetypes based off of the terms SCAN, RECV, SEND. I created my props and transforms first. I made sure that splunk recognized the sourcetype...
View ArticleCalculated field configuration (EVAL) not working in props.conf
I am trying to use a filed in calculated fields from props.conf to replace space in one of my field values but not getting any results in Splunk 6.2. Below is EVAL stanza from props.conf -...
View ArticleCSV Indexed Extractions in Distributed Environment
Hi, Here is my scenario: - UF1-> - UF2-> - HF-> IDX1;IDX2;IDX3 - ->SH1 Note: Connections are all good and I have got the files through the chain into my indexers perfectly. - The data I'm...
View ArticleSplunk Add-on for Symantec Endpoint Protection: How to update props.conf for...
Trying to update field extraction for field "user" in Splunk Add-on for Symantec Endpoint Protection props.conf Current Configuration is [symantec:ep:risk:file] TRANSFORMS-nullqueueheader =...
View Articleiso-2022-jp でエンコードされたデータがインデクスされない
iso-2022-jp でエンコードされた電子メールを Splunk で Index しようと props.conf に下記の設定をしました。 [sample_mail] CHARSET = ISO-2022-JP その後、インデックスされたデータを確認するとその内容は文字化けしており、splunkd.log には下記のエラーが出力されていました。 01-26-2017 14:14:59.932...
View Article