Override host field with event data
Hello, I am indexing some data from a file monitor and i want to override the host field with data that lays inside the events. Below is a sample of the data and the values i want for the host field...
View ArticleTime format throwing error
Hello All, i have a sourcetype with timestamp as **"2017-10-10T18:55:47.425Z"** and i defined TIME_FORMAT as **"%Y-%m-%dT%H:%M:%S.%3%Z"** but seems to be issue am getting the following error Bad...
View ArticleMore linebreaking issues
I'm having some issues with linebreaks in one of our logs. I used **LINE_BREAKER = WSDL(,\s*)** that covered most of the log format, however I'm still having some issues with random events. Anyone have...
View ArticleCan I use regex to extract the host field for cisco:ios events?
I have WLC and Equallogic sending logs on port udp 514. Currently, only cisco sourcetype is configured and hence all data is getting parsed as cisco:ios sourcetype. I want to parse data sent by 6...
View Articleprops.conf how to break event after every new line?
As stated in the question, my props.conf has the following settings: [daemonforCent] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE=false And as you can see, the result is still the same, not breaking...
View ArticleCitrix NetScaler with AppFlow: Dashboards not working Properly
Hello All, I have done a clean install of the latest version of Citrix Netscaler with Appflow and it seems that the props/transforms are not working properly to populate the default dashboards. Anyone...
View ArticleUsing Splunk heavy forwarder - Filter data before TCP routing - What's wrong...
Hi, I'm using a Splunk Heavy Forwarder with props.conf, transforms.conf and outputs.conf to selectively send events to different splunk Indexers based on the sourcetype. That works well. But now I have...
View ArticleCapture second timestamp that includes subseconds
Here's an example beginning of an event line Oct 20 20:57:03 sfo-prd-wsux02 apache2: [Fri Oct 20 20:57:03.398765 2017] [proxy:error] [pid 32083:tid 140031679186688] I'm trying to capture the second...
View ArticleSplunk For U-verse Home modem: How can I extract additional fields?
Hi, So finally I was able to make my U-Verse modem feed the data in to my Splunk AT&T U-Verse add-on but only what I'm getting is "All U-verse Events" The modem model is 5268AC. Is there anything...
View ArticleWhat is wrong with my transforms.conf and props.conf settings? I'm getting...
Hi All: I am unable to get the metadata host field in Splunk for the value of the database field called "HOSTNAME". This value is the endpoint value of the device. Instead I am getting value of the...
View ArticleHow can we split the lines in logs as individual events?
Hi Team, Currently we have the logs getting indexed into Splunk in this format but we require that each line has to be indexed separately in Splunk. Current Logs getting indexed in Splunk as a single...
View ArticleINDEXED_EXTRACTIONS = json, fields are extracted as strings, even fields that...
I have INDEXED_EXTRACTIONS = json in props.conf. Json data are extracted OK, but ... All fields are extracted as String data type, even fields with numbers only. I can not do any mathematical...
View ArticleBlacklist events for specific sourcetype and host
I know how to blacklist specific event for host or sourcetype. But I couldn't figure out how I can blacklist events fro specific host and sourcetype. Here is my scenario Hosts: host1, host2 Sourcetype:...
View ArticleSplunk Add-on for F5 BIG-IP: linebreaking issues
Background information about my environment: Distributed environment with CM server, clustered indexers(two indexers), two search heads(not clustered) We have the F5 Network Apps that helps with the...
View ArticleChange Log Event Timestamp
Hello, I am having hard time in understanding timezone assignment to the log event. I went through all the required doc but still doesn't have proper understanding. My log time stamp look like below,...
View ArticleChange timezone of timestamps from UTC to AEDT
Hello, I am having hard time in understanding timezone assignment to the log event. I went through all the required doc but still doesn't have proper understanding. My log time stamp look like below,...
View ArticleProblem routing to third party system using sourcetype
I need to take all of a sourcetype and index it into Splunk and send a sub-set of that sourcetype to a third party system. I can't even get it to write anything using props, transforms and outputs....
View ArticleCan´t save DATETIME_CONFIG parameter in our sourcetype
Hello, we have tried to edit our sourcetype as described in the followig article: https://www.splunk.com/blog/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename.html Pulling the...
View ArticleSplunk Assigning Random _time to part of my indexed data
Hello, I have a csv that is loaded weekly and in the beginning of September, ~20,000 records out of my 90,000 records dropped each week were randomly being assigned the time stamp 3/23/15 11:02:55:300...
View ArticleHow to apply Time Zone TZ = UTC to only 14 hosts out of 16
Let's say we have 16 hosts with the same sourcetype=devicetype 14 hosts are in UTC, 2 hosts are in EST (local) time zones. All hosts have name that starts with the same prefix "host-": host-au,...
View Article