How to extract the fields in my raw event data at indexing time?
Hi, How to extract the fields in the below Raw event using props.conf and transforms.conf 05/24/17 13:22:12 abcxyz dbmslogin_c[100]: [ddslogin.c.c][370]: [SECURITY] **Successful** login attempt from...
View ArticleHow to apply multiple search time patterns to a single sourcetype where the...
Hi, I have a sourcetype I am trying to apply some search-time extractions to. The log statements often contain additional fields that I would like to extract and I unfortunately cannot modify the...
View ArticleHow to exclude logs ingesting during index time
In our IIS logs, we are getting thousands of lines like below which is of no use in ingesting into Splunk. So want to exclude these and want to ingest only the lines which has strings with data after...
View ArticleJenkins data indexing into Splunk, dashboards all blank
I am testing out the Splunk App for Jenkins (v.1.0.7) on my Proof of Concept instance of Splunk (v6.6.0), but I am having problems with it working properly, specially the field extractions. The...
View Articlehow to not index log lines that have these 2 phrases in them?
Looking to get the correct regex statement for my transforms.conf to select both the "(vert.x-eventloop-thread-4)" and the "Request is valid" strings. If these both exist on that same line, I do not...
View ArticleIndexing JSON data
Hi, I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine! When I tried to create a continuously monitor file...
View Articleprops.conf doesn't work properly
Hi, Splunkers, I have following data from UF to Splunk instance. << UDP-1128 Nocrypto....... REGISTER..... ...................... ...................... .........................
View ArticleHow to edit my props.conf to extract a timestamp in the middle of a log?
I have a log file where i need to do a Timestamp extraction which is in the middle of the log.... somehow it's capturing `2017 8:09:16 PM Is R`(from the next line) NewStatServer...
View ArticleHow to edit my configurations to use Heavy Forwarder to filter and route data...
Hi, I'm trying to use Heavy Forwarders (HF) to route and filter data to another Splunk setup outside of mine. My goal is to send only sourcetype=log4net matching a REGEX (let's say ClientName). I...
View ArticleAllow colon in field names?
I have input data that looks like: time=2017-05-29 calendar:num_1day_active_users=10437 gplus:num_1day_active_users=1 docs:num_1day_active_users=0 gmail:num_1day_active_users=24594...
View ArticleSetting timestamp to minus one month of ingestion
I am getting some csv files in start of each month but actually they are the billing data for the last month. I want to set the timestamp to last month not the month it is being ingested in. Any ideas...
View ArticleCan you extract from a field that was extracted in the same stanza?
Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section: * Use ' in ' to match the regex against the values of a specific field. Otherwise it...
View ArticleIgnoring header in the csv file
I want to index and search csv files in splunk. Each file has a header at the first line: number1,number2, number3, 1,2,3 4,5,6 I've created a custom csv sourcetype in props.conf and defined custom...
View ArticleHow to get system time for each events indexed file splunk
Hello Everyone, I have text files where there is no datetime in it, but my required is need to get each line as one event with indexing time ( that willbe system time). I have used below `props.conf`...
View ArticleIs it necessary to set LINE_BREAKER, TIME_FORMAT, TIME_PREFIX in props.conf...
According to Best Practices for App building , we should at minimum set: TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, TIME_FORMAT, LINE_BREAKER, SHOULD_LINEMERGE, TRUNCATE, KV_MODE So normally for a...
View ArticleHow to mask sensitive data at index time?
I am trying to mask PII data at index time. Here is an example of PII data I am trying to mask: RecipientSSNxxx-xx-4321RecipientSSN I am able to mask it at search time using this source= mysource | rex...
View ArticleCustom app with KVStore Deployment
Hi guys, I've developed an app that will do the following:- *Have its own namespace, and GUI button for searching... Eventually its own style sheet! *Have collections/props/transforms.conf with a...
View ArticleRename an index
Is it possible to rename an index in the same way sourcetype and source can be renamed with props and transforms.
View ArticleWinEventLog Milli seconds identification.
Splunk is not parsing the milliseconds into _time field. How to parse it during the index time? I have updated my TIME_FORMAT in props in all the search peers; yet it is not parsing properly. Thanks in...
View ArticleHow to use automatic external.py result in automatic lookup
In our situation, "host" may be an IP OR it may be a FQDN. I need this to be an IP so I created an automatic lookup for a specific sourcetype using external.py and:> dnslookup clienthost AS host...
View Article