How to edit my configurations to assign sourcetype?
Hello, I am trying to index following files: c:\test\access.log c:\test\access_00.0.log c:\test\access_00.0.trc c:\test\log\responses_01.0.trc c:\test\log\responses_01.0.log The sourcetypes for those...
View ArticleIf not condition in TIME_PREFIX
I am working in the FIX log messages and have two fields that contain timestamps. I need to check for one field and if that is not present check for other field. I'm facing problem if both of the...
View Articleunarchive_cmd for decoding binary file with python script
Hi All, So following this excellent blog post I thought I found a solution to ingesting a binary logfile with Splunk....
View ArticleHow to reduce the cisco ASA logs using regex?
Hi, Is there a way to ignore a event containing the message before indexing using regex in props.conf and transforms.conf ignore the msg contains "10.11.12.133 to 10.11.12.134 "?
View ArticleWhy is my Event line breaking not working properly?
Hi, I've reviewed almost all the question about event line breaking but still have some inconsistency with data ingesting to my Splunk Enterprise. Is there any sort of debugging/logging system for data...
View ArticleWhy are changes made in props.conf not taking effect?
My sample data AAA, 0.5% BBB,0.10% CCC,0.20% my search looks like this base search | rex ".*?(?[^,]+),\s*?(?.*)" | table name,value My entire data comes in as a single event. I want to avoid this. I am...
View ArticleDatanow props/transforms not working properly
I have some Datanow syslog data coming into my environment and i have setup a transforms.conf file to extract some specific fields for me. Unfortunately, it is not pulling these fields. I am following...
View Articleregex for selecting all fields except specified fields
Hi, Could you please help me to select all the fields except specified fields. My data is pipe separated. My Data:: event1:-...
View ArticleSplunk props.conf
Hi, My logs are not breaking correctly. Below is sample logs 16:40:13,732 INFO [web] (http-thread-pool-331) Redeemed promotion=BI_500_POINTS for usa_id=2300000032458812 channel=OMS amount=500.0...
View ArticleProps.conf file changes
Hi, my sample data like this 101,Mango,0.40% 102,Orange,0.70% It is coming as a single event, as i want to split into multiple events based on new line escape character. What changes do i need to made...
View ArticleIs it possible to set a conditional timestamp from indexed events?
I have an XML file with "items" that are being indexed. The issue is that these "items" can possibly have two different timestamps. At the time of indexing I want to specify the timestamp conditional...
View ArticleWhat edits do I need to make in my configurations to mask passwords while...
**log file** : { [-] hostname: kjasfh56kh2!@# level: 20 msg: Initializing TextToSpeech with config { username: 'abcdefghi-asjfakfn', **password: 'abcdefghijkl',** version: 'v1', headers:...
View ArticleHow to extract date field from the filename in Splunk and assign _time value...
Hello Everyone, I have text file 20170701.txt where 2017-year, 07-month and 01-date. This file is coming from the universal forwarder, below is my `inputs.conf` (C:\Program...
View ArticleUnable to get day value padding to work via the props.conf
Unable to get day value padding to work via the props.conf. The log file looks as follows: Jul 5 20:51:28 abcdenc06 lost page write due to I/O error on dm-1 The source has multiple names in the 4th...
View ArticleRename sourcetype to keep all the same no -too_small or -2,-3 added
We have a 3 index/3 search head cluster with master and deployment server. I have a inputs.conf with [monitor:L:\SampleServices\Debug\*] disabled = false index = sample_services But we keep getting the...
View ArticleLookup in props using combined columns
While writing props/transforms for an in house TA, i'm stuck with a tricky situation. I'm making use of lookup file to enrich my dataset. But the lookup is a combination of multiple columns in the csv...
View ArticleMulti-line event and props.conf
I've got something that is confusing me. I've got a file, /logs/oud_ds/audit, of raw events that looks like this # 07/Jul/2017:04:33:15 -0700; conn=-1; op=916539 dn: dc=dummy,dc=org changetype: modify...
View ArticleTimestamp milliseconds not appearing
Hi there, I am extracting a timestamp in props.. everything is working fine except for the milliseconds at the end of it. Date format is 2017-07-11 08:54:12,815 -- my extraction is %Y-%m-%d...
View ArticleLookup fields: How to re-evaluate or re-alias in props?
As per props.conf spec Splunk processes lookups after it processes field extractions, field aliases, and calculated fields (EVAL-* statements). This means that you can use extracted fields, aliased...
View ArticleHow to edit props.conf to ignore timezone information?
I've got data with a timestamp that looks like this [2017-07-06T16:32:38.977-07:00] In props.conf I have this TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N...
View Article