CSV Headers are listing as events and not extracting into interesting fields .
CSV Headers are listing as events and not extracting into interesting fields . This is the props.conf I'm using Header ex: xys ,queue, monitor, tags, like this 20 header feilds . props.conf am using :...
View ArticleHow to get date and time from this format?
I have date and time in this format, [2010/01/14@08:43:17.561+0100] How to read it correctly into Splunk?
View ArticleHow to write the extract the timestamp from my sample event in props.conf?
How to write the extract the timestamp from the following event in props.conf? Mar 3 15:16:10 servername user:info syslog.........
View ArticleSplunk Add-on for VMware: How to limit the logs collected by the add-on to...
-We have a remote syslog server that is collecting vcenter and esxi hosts logs. -On the sylog server the data is broken as followed %HOSTNAME%/%PROGRAMNAME%.log" -We are able to collect the data using...
View ArticleDoes Splunk DB Connect cron frequency for query execution uses system time or...
We are using Splunk DB Connect v1 where we have 2 servers in different data centers (one in Eastern Timezone and another one in Central Timezone). In both the servers we have props.conf configured to...
View ArticleCan I skip specific lines while indexing data?
Hello, I am trying to index a csv log file that looks like this: Description,NumJobWaitEvents,ReturnCode,RunEnd,RunStart,ScheduledStartTime,Status...
View ArticleHow to edit props.conf to line break my raw data correctly?
I am looking to break out the raw data below to individual events instead of all in one event. I have passed SHOULD_LINEMERGE in the props.conf file, however I am not seeing the expected results. Once...
View ArticleHow to index Oracle files about backup information archSID.log or backSID.log?
Hello, we want to index files from brtools with information about the archive log backups from oracle /oracle//saparch/arch.log. This file has following structure and we want to create a report over...
View ArticleWhy are the Preset Times in Splunk Web not displaying results for a recently...
I recently added a .log file for an app called solr. When searching using the presets like "Today" i get no results. However, if I change this to a date range for today (3/10/17) I get results. I...
View ArticleWhy does the Universal Forwarder index a CP1251 encoded file twice?
Hello! I'm trying to pre-filter and forward structured .csv file from Universal Forwarder (UF) to Splunk Enterprise server. This file is CP1251 encoded, not UTF-8. I've made a new sourcetype and copied...
View ArticleWhy does the Field Extraction stanza in props.conf not work?
Hi, Neither of field extraction stanzas in props.conf works. Weird, for example alternative stanza for sha1 in Splunk Web works correctly. This works in Splunk Web:...
View ArticleHow can I parse XML with multivalue fields?
Here's a small snippet of an xml firewall event i'm trying to parse:1Temperature @ Ocelot0.060.0False36.01Temperature @ Switch0.060.0False37.5 Ideally i'd like to set up a process to extract the two...
View ArticleHow to edit my configurations to extract a multivalue field from an extracted...
I am trying to extract fields for OpenDNS logs. These come in a CSV format: "2015-01-01 20:39:57","client1","client1,site1","1.1.1.1","2.2.2.2","Allowed","1 (A)","NOERROR","www.google.com.","Search...
View ArticleRunning btool shows there are no system/local folders. How to edit props.conf...
Troubleshooting a problem with trying to route events to nullQueue. Ran the btool props list --debug to see what was being applied and found that none of my "local" folders are listed. I thought those...
View ArticleHow to properly parse my JSON input?
Hi, I have a JSON input file, and am having two issues. First, I can't seem to get the timestamp to map appropriately, and second, the events don't appear as proper JSON events within Splunk. Here's a...
View ArticleWhy is my props.conf not working, but the same props.conf is working on some...
props.conf [log1] BREAK_ONLY_BEFORE = \w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\w+\s+\d+ DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom pulldown_type = true Below is my sample event, we need to...
View ArticleWhy is my TIME_FORMAT regular expression in props.conf not working for an...
HI I am using following regular expression for the index time extraction in the props.conf. For some reason, it is not extracting properly. Event: 2017-03-15T11:30:02.609835+00:00...
View ArticleMetadata will not rewrite. Why is Splunk ignoring my configurations?
I am trying [once again] to rewrite metadata, host, source and source type from fields in my event. I have an event like: { [-] datasource: otherport ident: root message: This is a test orighost: play...
View ArticleHow to line break this structured log?
I have a script generating an output, however all my output is being registered as one event. I am trying to break each line into an. I tried using the line breaker with regex for end of line. But that...
View ArticleHow to rename a JSON field by editing a configuration file (NOT when running...
There is a log source that publishes events in JSON format, but the field name is in 3-digit numbers, not in English, like below: {"xyzEvent" : {111 : "2017-03-20 02:58:02.000",222 : "New", 333 : "Alex...
View Article