Timestamp mismatch occurring from events with the Splunk timestamp .
Hi Please help me fix this would like to consider the TIME stamp extracted from the events , but i see two different time format s in events as you can see in below events . And , the search head...
View ArticleHow can I overwrite _time at index time when importing a CSV file?
I have historical stock data in CSV format. I'm able to parse all the data, each date gets extracted to a 'date' field. Using calculated fields, I can overwrite _time at search-time. The problem here...
View Articlelong xmls are split into multiple events in splunk?
------------------------------------------------------------------------------------------------- Transport : GoodTransport System : ESS JMS Message ID : ID:414d512042542e51e37d79596dde3421 Queue JNDI...
View ArticleWhy is my EVAL configuration in props.conf on the Search Head not processing?
I'm working with data that is being sent from a universal forwarder (UF) on the server. I do an INDEXED_EXTRACTION in the props.conf on the universal forwarder. When I search for the data on the search...
View ArticleIs there any way to apply cluster-bundle without rolling restart and search...
I have a use case where we're updating props.conf frequently. We'd like to ideally be able to do this on an ad-hoc basis so that we don't have people waiting 'till the next day to start seeing their...
View ArticleHow to specify source stanza for non-file input types in props.conf
I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., monitor type inputs), I can write [source::/path/to/file] and it works. However, I am...
View ArticleHow to extract the fields using regex and props.conf at indexing time?
Hello, How to use Regex in props.conf to extract the fields in the below sample event with source type "syslog". 08/11/17 13:30:34 abckdefrg44 openfep[1123]: [log.c][411]: CPM ALSLLER (ID 5):...
View ArticleForward data received on a port
I have a Splunk instance configured to receive data on port 9997 from 2 forwarders. If I want to configure it to forward data received on port 9997, what should I write as the stanza in props.conf? For...
View ArticleForward data received on a port to a third party system
I have a Splunk instance configured to receive data on port 9997 from 2 forwarders. If I want to configure it to forward data received on port 9997, what should I write as the stanza in props.conf? For...
View ArticleASA filter not letting logs through?
Hello everyone, One of the projects I worked on was to build a filter for ASA logs in Splunk so logs we were not interested in would not be indexed, thus preserving the license. I did that, and it...
View ArticleWhy does my indexed data appear as a series of x and o characters?
Hello, I am running a PowerShell script to download HTML code from two pages: i.e.: $wc.downloadstring("https://www.website.com/index.html") >C:\Output\Output.txt...
View ArticleCan I use a multiple field alias to normalize across sourcetypes?
Looking for the most effective way to "normalize" fields across multiple indexes and sourcetypes. We have 30+ indexes with that many (or more) sourcetypes. Many of these are for internal applications...
View ArticleWhy am I seeing these extra fields when I log a BZ2 file?
One of the log files being monitored by Splunk is a bz2 file. It is being read by the UF on the server. The local/props.conf in the add-on to process the events looks like this: [mvm:csv]...
View ArticleCan I still send data to nullQueue while using _MetaData:Index to send data...
I have one source directory in the inputs.conf file that I need to parse out and send different events to different Indexes. I attempt to do this by using the _Metadata:Index Key within the...
View ArticleLines break when indexing JSON data using props.conf attributes
Hi team, I am not able to index below JSON data in Splunk 6.2 with below props.conf attributes. Its breaking at every line and treating as separate event with no field extraction. When I add the same...
View ArticleReplace single quotes with double quotes
All, We have a lot of key value pairs using single quotes. I am THINKING there is a way to fix this using SEDCMD. But honeslty I don't see how. Any ideas? I can do them as one offs pretty easy, but I'd...
View ArticleHow to exclude Null Values from field extractions
I am building a TA. The issue I am having is the log file has a field error="". Even though it is null the error field is still there and causing CIM to tag the logs as error. I am hoping you can help...
View ArticlePalo Alto Networks syslog: 1 host is ingested with incorrect date
Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directory, then divvied up by host name, so...
View ArticleHow to split data into separate sourcetypes with transforms
Hello I have a input that is monitoring a file. In this file theres data of multiple formats including timestamps, its bad, but I was thinking I could use a transform to set sourcetype in props that I...
View ArticleIf I change an event's sourcetype, can it then be processed as that...
It seems that the transformation layer only processes an event once. If the factors that influence which props.conf stanza are applied, this does not cause the event to continue to be processed. Is...
View Article