Making a delimited multivalue field using props and transforms
Hi Guys, I'm having some issues with my making my multi value field work as I would like. My "cve" field has values like: "CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999,...
View Articleextract fields from json array with multivalue and sub-array
Here is my sample data { "applications": [ { "id": 2537302, "name": "addressdb_prod", "language": "dotnet", "health_status": "unknown", "reporting": true, "last_reported_at":...
View ArticleMaking a delimited multivalue field using props and transforms - qualys TA
Hi Guys, I'm using the qualys TA to extract VM data and I'm having some issues with making a multi value field out of the "cve" field qualys use. My "cve" field has values like: "CVE-2017-3003,...
View ArticleMaking a multivalue field from a value obtained in a lookup
Hi guys, I'm not sure if this is possible or not but it would be good to get it cleared up so I know for future. So I'm wondering if I can use props and transforms (and maybe fields.conf) to make a...
View ArticleCisco Networks Add-on for Splunk Enterprise: modifying sourcetype for all...
I'm about to install the Cisco Networks App and Add-On into our environment, and I'm a bit new with Splunk. What has me a bit concerned are these two stanzas in the props.conf: [syslog]...
View ArticleProblem filtering with props.conf and transform.conf
Hi, I parsed a lot of post on splunk answers, but I still have a problem to filter a specific sourcetype. Here the log line I want to trash `Sep 11 16:16:08 192.168.24.35 ROOT_FW_2: NetScreen...
View ArticleWhere does props.conf need to exist in a distributed deployment?
I think I need to push this from the deployment to each device or at least the forwarder and search head. I have 5 servers making up my SPLUNK Enterprise deployment, 1 SH, 1 FW, 1 DS, 2 Indexers. My...
View ArticleTrouble setting nullQueue format in transforms.conf
Hi, I'm trying to remove part of my watchguard logs from splunk that just report session timeouts. Here is what I'm trying: Props.conf [watchguard] TRANSFORMS-watchguard = remove-session-timeout...
View ArticleHow to extract nested key value pairs from a specific JSON string field using...
I have JSON that looks like this. With the "message" field, there can be one or more key value pairs. How can I extract the key value pairs that are within the "message" field? { "severity":"INFO",...
View ArticleHaving troubles extracting a time stamp.
Hello all, I'm having an issue with my environment while trying to index a set of logs i get from a file nightly and attempt to process them. what is happening is splunk is not finding the timestamp...
View ArticleWhat are the capabilities of the "force_local_processing"
Does anyone know the full effects of the new option "force_local_processing "? How does it change the following information: https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F What are...
View ArticleHow to extract date field from the filename in Splunk
Hello All, Can any one please help me to extract date from filename in Splunk? below is my existing configuration, but am not able to get file name date as indexing date in splunk. Below is my existing...
View Articlesplunk btool returns many duplicate events for props
hi guys I am experiencing an odd behavior when using btool to troubleshoot some issues. When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this...
View ArticleCan I have two apps that have two different indexers and indexes for the SAME...
I have an app with an inputs.conf that has a stanza for [WinEventLog://Microsoft-Security-Logs] to an index and uses _TCP_ROUTING to make sure the events go to the correct indexer. I have a group that...
View ArticleHow to customize logging using transforms.conf and props.conf? Where do we...
How to do customize log event using transforms.conf and props.conf file? Do we configure transforms.conf and props.conf file in Splunk forwarder, search head clusters, or indexer?
View Articlebtool command returns many duplicate events for props.conf
hi guys I am experiencing an odd behavior when using btool to troubleshoot some issues. When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this...
View ArticleHow to edit props.conf to cope with two different time values in log file
Hi All, I have created an index and sourcetype for two logs files. I have set up my props.conf to extract the date/time and separate onto one line, however one of my logs has a colon after the time and...
View ArticleCan I make a search time field extraction from a piece of the file/source?
I need to create a field in splunk that is a portion of the file path, do I need to do that @ index time or can I do it at search time? I know the regex just dont know how to make a portion of source...
View ArticleNeed help with regex in props.conf
Hi all, Here is how my raw logs look. I need help with props.conf so that I can index by the second time field instead of the first one. Sep 19 12:45:19 129.106.x.x fdbsyslog: **timestamp=2017.09.19 -...
View ArticleJson file getting truncated
Below is my i/p file { "Count": 2, "Items": [ { "total_time": { "S": "0.000s" }, "start_date_time": { "S": "2017-09-19 05:00:43" }, "bad_records": { "N": "0" }, "successful_records": { "N": "0" },...
View Article