Field extraction from XML file
Hi, I have imported an xml file to splunk, but want to change the field names to something more user friendly. I know that i need to edit the props.conf file but am not sure what to put for the part....
View ArticleUnable to send same source data to two different logical indexes and two...
Hi All, Facing few challlenges, mine is playing around with the same transforms. I'm trying to achieve the same source data to forward to two different logical indexes and two different indexers...
View ArticleSecurity Onion Server/Sensor Add-on: help making my data searchable?
I have managed to get Bro logs into Splunk, but even with the App/TA the data is still clunked together and not very searchable. I've seen a few props.conf files here and there but has anyone had...
View ArticleHelp with field aliases for XML file
Hi, I have imported an XML file to Splunk, but want to change the field names to something more user friendly. I know that i need to edit the props.conf file but am not sure what to put for the part....
View ArticleAutomatic lookup on a fieldalias field -- Is it possible?
My automatic lookup is not working on fields that were created via FIELDALIAS's. I have automatic lookups in my "search" app local/props.conf running on things like "src" and "dst" fields. These are...
View ArticleRemoving n whitespaces from event at Index time
Hi all, I want to remove the whitespaces from only the account value, and not the whole event at index time. Is this possible? Given the events look like this: {"account": "Account 1", "justification":...
View ArticleRemoving all white spaces from event at Index time
Hi all, I want to remove the whitespaces from only the account value, and not the whole event at index time. Is this possible? Given the events look like this: {"account": "Account", "justification":...
View ArticleProps.conf timezone settings for Eastern? And do I need to reboot any peers?
In our Slave-Apps directory on the 2 peers/indexers we have a custom app created by the prev admin which has setting for TZ to UTC for network devices that are on UTC. Now i am adding new data source...
View ArticleHow can I splunk the output of the Microsoft Powershell GPO Report export?
I am attempting to ingest the output of the Microsoft Powershell GPO Report Export (i.e. Get-GPOReport -All -ReportType XML -Path c:\report.xml). The following props.conf splits the output into the...
View ArticleGetting Error from TailReader
Hello, I am trying to upload a .csv file through my auto-index and I am getting this error in my internal logs " -0400 ERROR TailReader - error from read call from...
View ArticlecrcSalt is not working
I ingested SQL ERRORLOGs and SQLAGENT logs with my forwader but didn't have the props.conf setup correctly. They showed up as binary (hex). I now have the correct props.conf setup and want to reingest....
View ArticleWhy are we getting "failed to parse timestamp defaulting to file mtime error"...
Hi Folks, we have below format logs and there is no time stamp on first 5 lines and we are getting error "failed to parse timestamp defaulting to file mtime error" while indexing the data. We have e...
View ArticleHow can I filter events befoer they are indexed so they aren't indexed?
I tried this solution but no success. I am trying to filter data from being indexed.I need only the Error events In props conf: [source:://C:\\Windows\\System32\\winevt\\Logs] # Transforms must be...
View ArticleHow can I filter events before they are indexed so they aren't indexed?
I tried this solution but no success. I am trying to filter data from being indexed.I need only the Error events In props conf: [source:://C:\\Windows\\System32\\winevt\\Logs] # Transforms must be...
View ArticleWhy are the transforms on indexer props being broken by the extractions on my...
Whenever I enable this EXTRACTION stanza on my universal forwarder, my TRANSFORM extraction stops working on my indexer: [web_app_logs] NO_BINARY_CHECK = 1 INDEXED_EXTRACTIONS = TSV PREAMBLE_REGEX =...
View ArticleDoes a change to props.conf require an indexer rolling restart?
I'm about to implement the change in [Why isn't the timestamp being recognized ?][1] [1]: https://answers.splunk.com/answers/579762/why-isnt-the-timestamp-being-recognized.html It will be in...
View ArticleHow to extract my event in index time using props.conf and transforms.conf?
How to extract my event in index time using props.conf and transform .conf? How to extract by event in index time to get expected format? Actual format: Tue Sep 26 11:38:08 EDT 2017 name="queue_browse"...
View ArticleWhere do I put props.conf and transforms.conf stanzas to parse custom IIS and...
I am trying to parse custom IIS and Windows Firewall fields using props and transforms. Our Universal Forwarders first send logs to Heavy Forwarders, then to the Indexers. Where is the proper place to...
View ArticleHelp with props.conf configuration to remove outer curly bracket before...
props.conf to remove outer curly bracket before ingesting json file from { "filters": [ { "id": "94960710-78a8-139d-6e52-5845eba8ebc9", "name": "admin", }, { "id":...
View Article