How to correct timestamp parsing and field extraction of XML log?
Hi, novice splunker here. I'm having an issue in getting all the timestamps correctly parsed from the DATE and TIME fields of a given xml log. That xml log contains exactly 68 short records of dummy...
View ArticleCSV and TSV File Inputs on Universal Forwarder - Do I need to configure both...
I am going to be forwarding CSV and TSV files, and was wondering if I need to configure **both** INDEXED_EXTRACTIONS and FIELD_DELIMITER in props.conf for the sourcetype on the Universal Forwarder. It...
View ArticleBreaking event because limit of 256 has been exceeded
04-06-2017 12:17:13.106 +0000 WARN AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set...
View ArticleFormating different types of sources
HI, me again. Woodman helped me sort out formatting which allowed me to crack on and get exactly what I need from Avaya Session manager logs presented in XML format pushed to a folder on the server....
View ArticleTransform on DBConnect Input Removing Field
Hi, I have an SQL input being consumed via DBConnect 2.4 which has several fields including 'Message' and 'Originating System'. They are currently being sent to our indexers under the sourcetype...
View ArticleLift fields in nested json object to top level
I have json data like this { "default": 3 "payload": { "a": 1, "b": 4 } } The keys in my payload object differ for different usecases and I want to lift all the key-value pairs in the payload property...
View ArticleHow to break events as Every Line
Hi All, What's the appropriate regex for event break Every Line? Is my `props.conf` correct? [index_name] LINE_BREAKER = ([\r\n]+)
View ArticleHow to report on the top 10 fields when logs have a variable number of key...
I have log records with a variable number of KV (key value) pairs. Both the field and the values are numeric. The following search parses all of the log records correctly and builds a very long row of...
View ArticleHow to parse an unusual timestamp format?
Hi all, I have have some inconsistent timestamp parsing issues that I believe are due to an incorrect TIME_FORMAT value in my props.conf file and I am hoping that someone may be able to clarify what...
View ArticleRemove non alphanumeric at the very start in props.conf
Is it possible to remove all non alpha-numeric when taking in data in the props.conf? I have tried wiht regex but i cant seem to get it. This is the data 20151029|12:31:00|MUREXFO | 1 |SessionCreate...
View ArticleSimple host field change - does not work
Hey guys, so I'm rather new to Splunk, and we're implementing a small cluster for logfile collection and SIEM purposes. One of our systems is a MobileIron Core Appliance, which features a built-in...
View ArticleHow can I set the sourcetype to a value from the input stream?
I have a name value data stream which contains the following - ` "msg_sourcetype": "syslog-test"`. How can I set the `sourcetype` to be - `syslog-test`? The following works - `| rex "msg_sourcetype\":...
View ArticleHow to create multiple source types from a single log file?
I am ingesting 1 file that has multiple server IP addresses. I need to source type each server based on the IP address. I have tried using the props.conf and transforms.conf with no luck. Any help...
View ArticleRaw import not getting the full data. Is this a CR/LF issue that can be fixed...
I am not getting the full event on ingestion from a log file. I am assuming it's a CR/LF problem that would be fixed by a config file tweak. This is some data : 2017-04-18 04:00:53,373 [6968] INFO...
View ArticleIs it possible to configure Splunk to use the date from log filename as the...
I have some difficulties with date/timestamping with a certain logfile. The logfile itself only contains HH.MM.SS. Example: 06:42:01.211 report /media/Logfiles/LOG_121202_20161231_064206.xml has been...
View ArticleNeed help with complex LINE_BREAKER with multiple options
Here are some sample lines from a log I'm trying to parse: Genesys Interaction Concentrator, Version:'8.1.502.04' Copyright (c) 2005,2015 Genesys Telecommunications Labs, Inc. Host name:...
View ArticleHow to edit my props.conf to correctly line break my sample log?
I want Splunk to break every time I see Event logged at `*}:` Event logged at {1492205898958;2}: ID: com.innovision.ofx.ofxsgml.ncph.Response Title: Event logged at Fri Apr 14 14:38:18 PDT 2017...
View ArticleAfter editing props.conf, why is sensitive information not masked when data...
Hi All I have followed the regular expression method to anonymize data during indexing as mentioned in the below Splunk documentation....
View ArticleHow to remove all events containing specific values in Splunk?
Hi All, Can any one guide me, on how to remove all events containing only the below listed events from rest of the events ? I am sure that we need to configure props.conf and transforms.conf , but not...
View ArticleWhat is the best way to filter events at Heavy Forwarder level?
Hi. I am trying to send logs from a bunch of Universal Forwarders (UF) to a Heavy Forwarder which will then forward it to a SOC (managed service - we have a syslog receiver onsite). Currently, all the...
View Article