Why are separate events combined as a single event from the 1st to the 9th of...
From the 1st until the 9th 23:59:59 of every month, individual events are being combined into one event. As soon as time shifts to the 10th 00:00:00, every events starts getting parsed properly with...
View ArticleADD_EXTRA_TIME_FIELDS=false leads to missing milliseconds
I have such props.conf [api] TZ = Europe/Moscow MAX_TIMESTAMP_LOOKAHEAD = 25 BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3} BREAK_ONLY_BEFORE_DATE = true TIME_PREFIX = ^ MAX_EVENTS =...
View Articlewhy are props.conf keys not recognized
I have a verry strange behaviour in props.conf, the following stanza does not work: [SDCS-liveclone-xxxxxx-st_XmlWinEventLog:Security] TRANSFORMS-SDCS-liveclone-xxxxxx-wes-route1 =...
View ArticleIssue with extracting multifield values due to props.conf transform.conf...
Hi Experts, I am trying to extract something like below type=type1,type3 My Data event1.epochtime=1282182111 type=type1 value=value1 type=type3 value=value3 props.conf [test] REPORT-type = mv-type...
View ArticleBro Logs: How can I remove fields that an analyst accidentally created, and...
I have an analyst that was playing around trying to extract a new field. Unfortunately, he used the delimiter function and instead of backing out of it, he saved it. So on top of the normal fields...
View ArticleREST API Modular Input: How to remove meta data from JSON and split it in to...
Hi All, I am pulling this json from REST input. {"meta":{"bucket":"second","bucketsize":"1","tstart":1510090302753,"tend":1510093902753,"group":{"mname":{"desc":"Monitor name of...
View ArticleNeed some help with event breaks
Hi all, I was hoping someone might be able to point me in the right direction for where to set this and how exactly to set it: I'm consuming some logs from SCCM (log sample below for reference) and...
View ArticleUse JSON epoch date time instead of index time
I have a JSON that is for emails like the following: { [-] computer: { [+] } date: 2018-03-08T11:42:57+00:00 event_type_id: 553648152 timestamp: 1520509377 timestamp_nanoseconds: 893334279 } Note: the...
View ArticleRegexp for transform.conf doesnt work
Splunk receive a log like this: Nov 15 13:02:10 172.20.20.3 test WARNING 1 "Invalid path" 178.217.60.3 0 10.18.7.98 2040 5 "bla bla bla" sampled 1 0 N/A low drop FFFFFFFF-FFFF-FFFF-000E-000059C98546...
View ArticleSplunk for Symantec field extraction issue
I noticed that some fields within the Splunk for Symantec sourcetype=symantec:ep:security:file is not being properly extracted. For example, the Applications_Name field has time values: 2017-11-14...
View ArticleConf file precedence issue, JSON extraction
props definition is below, when i save it in app\search\local directory it doesn't work as expected{events are not broken properly}. When saving the same configuration in system\local it works fine....
View ArticleTesting props.conf file of app in $SPLUNK_HOME/etc/apps/my_app/local
I am having some issues breaking a multiline event properly. Each event starts with a 'Date ...' string that I can use as an event break so I used the web app to create a sourcetype that uses the regex...
View ArticleSplunk Add-on for VMware: Issue with sourcetype extractions
Upgraded Splunk app for VMware to 3.4.0 with VMware v6.5.0... we are not seeing any sourcetype extractions based on props and transforms in Splunk_TA_vcenter... Splunk_TA_vcenter is installed on...
View ArticleHow to deal with repeating fields in a single event
We noticed that Microsoft OWA logs produce a repeating field. How can we make them into individual ones instead of just picking up the first hit? E.g. the Param field in the log below. `11/17/2017...
View ArticleEvent breaking not working on Tomcat Catalina data
I have some Tomcat Catalina data and I can't for the life of me figure out why it isn't line breaking properly. There are several different formats for the data going into the `catalina.out` files, so...
View ArticleHow to filter events on Linux Machine before forwarding them to Splunk?
Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these...
View ArticleCSV file import, problem with date format
I have been trying to onboard at custom dataset into splunk as a csv file. But the dateformat doesnt get right. 199703260005,1997,3,26,,0,,160,Philippines,5,Southeast First is the year 4 digits , then...
View ArticleData masking using heavy forwarders
Been trying to mask data before indexing into indexer using heavy forwarders. below is the log sample and data am trying to mask JSESSIONID=SD1SL10FF3ADFF3" to JSESSIONID=#######FF3ADFF3" 189.222.1.46...
View ArticleDATA filtering using Heavy forwarders
i was tyring to filter a set of data to indexer by filtering out few data and below are the sample logs and configurations: Here trying to pass only category_id=FLOWERS to the indexer and ignore GIFTS...
View ArticleWhy isn't this regex working on /var/log?
Hi, I'm using a Single Instance of Splunk 6.6.2 and I've tried filtering some events of my log using the code below, but the filter doesn't work. I put this argument **"[\dbus\]"** into regex because I...
View Article