props.conf Line Breaking
Hello everyone, I have several events with different time stamps that I'm trying to breakup. The props file I'm using is as follows: sourcetype=applogs SHOULD_LINEMERGE=true NO_BINARY_CHECK=false...
View ArticleAruba ClearPass App for Splunk Enterprise: Why is data is not readable?
I have configured Aruba ClearPass App for Splunk Enterprise on forwarder and indexer. Made sure data is coming on tcp 1514 and enabled port on both forwarder and indexer and configured to aruba index....
View ArticleCisco Networks Add-on for Splunk Enterprise: Why are events not line breaking?
Hello World, i've done a pretty straight forward setup from the Cisco Networks App and Add-on for Splunk Enterprise. We've got a distributed environment with indexers and Search Heads. The input is...
View ArticleStructured data (TSV) configured on UNiversal Forwarder with Transform...
I have some TSV files that I am forwarding with a Universal Forwarder. I have props.conf configured on the UF with the following for the sourcetype: FIELD_DELIMITER = \t HEADER_FIELD_LINE_NUMBER = 1...
View ArticleLinux Auditd: How to override the default configurations for props.conf?
When the Linux Auditd app is installed on a Splunk Enterprise (indexer), is the props.conf in the TA_linux-auditd/default/props.conf overriding anything by default? I am confused on how overriding...
View ArticleSplunk Add-on Builder: Why is my regular expression to remove first line of...
I used the Splunk Add-on Builder to export an add-on that I'm working on but I needed to make a tweak to props.conf and transforms.conf in order to remove the first line of multiple source types (text...
View ArticleHow to edit props.conf to line merge a set of results?
Hello I have below set of line events(repeating) which I want to convert to single event. For every 6 events I want to convert it to 1 event, viz below 07/24/2017 16:16:31 host=myhost SMB1Enabled=0x0...
View ArticleSourcetype Assignment
Hello All, I have two servers with hostnames H1 & H2, both have the same log file named "/apps/logs/log.log" I have set the line breaking based on source file name in my props.conf, For ex:...
View ArticleHow do I adjust forwarded Windows Event Logs fields to properly standardize...
Hello, I am hoping someone from this awesome community can help me out with windows event logs/forwarding issue(s) I am having at index time. Background: I have a WEC server that is receiving all...
View ArticleChange field to arbitrary value following a regex match using props.conf and...
I have two firewall devices that log their activities in different formats. I'm trying to create CIM compliant logs. I want to have a field labeled "action" and I want it to set that field to either be...
View ArticleTime Zone issue
Hi All, We have application logs configured to Splunk. When I search for the last 15min there were no results but when I search for the last one hour it gave so many events. Upon checking it, I came to...
View ArticleSetting up props.conf and transforms.conf log filtering in Splunk Web. Can...
I apologize if this is a very obvious question, but I'm completely lost. A project I am working on is to filter the logs coming in so they are never indexed in the first place. Using a question here, I...
View ArticleHow to exclude the Windows events with Splunk process before indexing?
Hi, I see a lot of events in Windows logs with Process splunk-regmon, powershell etc. Is there a way to exclude the processes before indexing? message contains: C:\Program...
View ArticleI want make a field as index time
I have csv file contains timestamp name, create_date, duration, distance are field names sourcetype: example I want to make that field as indexing time, what changes I have make in config files
View ArticleHow to prevent splunk from merging few JSON strings into single event?
Example raw data: {"field1": "value1", "field2": "value2", ..., "string": "1" } {"field1": "value1", "field2": "value2", ... ,"string":"2"} {"field1": "value1", "field2": "value2", ..., "string":"3" }...
View ArticleHow to fix my universal forwarder configurations so that Splunk only forwards...
I am trying to forward to a third-party system from a Universal forwarder. I have tried two approaches. In both cases I am receiving a lot of unnecessary data on the third-party end. It looks like...
View ArticleHow can I search all the XML nested data?
Dear all, I need to search all XML tagged data including nested data but I only get first data by a search command. Please help me how can I search all the XML data? Splunk version is 6.5.3 Here are...
View ArticleNot able to extract _raw data using props.conf and transforms.conf
Hello Splunk Gurus, I'm extracting the data from database-input (using Splunk DBX 3.1.0) and sourcing that to index "my_index". When I search from Splunk I see the following output: **Splunk Search: **...
View ArticleHow to reset 'props.conf' to defaults w/o reinstalling Splunk?
Hi all, I have Splunk on Windows 10. I fiddled recently with some properties in "C:\Program Files\Splunk\etc/system/default/props.conf" but later I restored them to defaults (or so I thought. I might...
View Articleextract fields from json array with multivalue and sub-array
Here is my sample data { "applications": [ { "id": 2537302, "name": "addressdb_prod", "language": "dotnet", "health_status": "unknown", "reporting": true, "last_reported_at":...
View Article