I need help with a regex for line_breaker in props.conf
Hi Team, Need help with regex for LINE_**BREAKER** attribute in props.conf. I have below log pattern delimited by | , however looks like this is one big event type which does not have newline or...
View ArticleHow to fix a timestamp issue for Symantec logs?
Hi All, Currently we are facing an problem in time stamp for a Symantec log data. Problem: When we search with the below query, we could see that the splunk _time field is different from the event's...
View ArticleHelp with parsing a cmd log file
============================================== **Command: C:\cmd command - xxx.. Started at: 12/04/2017 07:03:02 Finished at: 12/04/2017 07:06:03 with code 0**...
View ArticleAbout the license when using SEDCMD
In my environment, as for the "csv" data to be captured, The column that is not needed is dropped using SEDCMD. For example, the following example excludes the third column "description". example Data...
View ArticleHow to index full json data and automatically extract fields without using...
Here's the format of the data i have been working on. i've tried using INDEXED_EXTRACTIONS=JSON in props but the event data is lesser than expected. { "d": { "results": [{ "__metadata": { "id":...
View ArticleField Calculation not working
What I'm trying to do is create a field named ids_type and make it equal to network. (ids_type=network) I'm trying to add a new field to a sourcetype. The name of the field is ids_type. I created an...
View ArticleSplunk Modular Input cuts events
Hello, I play with Python API Modular input: import splunk.input as input (...) input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py',...
View ArticleUnable to change timezone of the logs
We have a host sending logs in UTC timezone and we want to display it in US/Central timezone. I have added the below configuration in the props.conf file on our indexer, but this does not help....
View ArticleHow to parse Radius log files into splunk? What the configuration required...
Log entry example :...
View ArticleMultiple fields extraction,m using props.conf
Hi, We have a search that extracts Customer and Country correctly index=aaa host="*Host1*" sourcetype=aaa_bbb | rex field=source "C:\\\DIR\\\(?\w*)\\\(?\w*)" | table source,Customer,Country source...
View ArticleWhere can I find a good video on field extraction (parsing) ?
Hi All, Can any one share me a good video link explaining about Field Extraction concept on both Index time /Search time field extraction via props.conf. I had gone through the splunk documentation on...
View ArticleHelp creating a sourcetype for this data
I've been trying to figure out a way to create a sourcetype and extract data like this. Can someone help? It appears to be 3 goups. Here is the ideal break out of the fields required The first 2 lines...
View ArticleWhy is the timestamp showing up in the future on some sourcetypes?
Hi Team, Currently we are having issue for certain sourcetype the indexed events are with the future time stamp. The problem is with Symantec logs source that are forwarded from third party device...
View ArticleInconsistent linebreaker behavior
Hello all, I have configured the props file to NOT break the event when encounters a new line with a date, however, sometimes the event is broken in the line containing the date and sometimes the event...
View ArticleNeed help extracting timestamp from unstructured data (JSON)
Need help to extract timestamp and structure data - {**"time":"2017-12-12 16:25:27.418 +05:30"**, "severity":"INFORMATION", "_tag":"", "correlation_id":"null","Message":"[RequestController]...
View ArticleAssigning sourcetype to a source in HeavyForwarder props.conf is not working
Shouldn't this work ? Only If I assign the sourcetype in the inputs.conf of the Universal forwarder this works.. But I don't want to assign it in UF. [source::///...../config/server.cnf]...
View Articleweblogic and line breaking
i am trying to read the weblogic DefaultAuditRecorder.log which looks like this (and doesn't seem to be covered in the weblogic app in splunkbase) #### Audit Record Begin <<<>,...
View ArticleApply search field extraction to props.conf and/or transforms.conf so...
I have some BIG-IP data that I am ingesting as plain text files, as I can't directly connect to the BIG-IP servers due to security rules. I have used regex field extractions to extract various data...
View ArticleCustom Datetime.xml not working for log with multiple timestamp
Hello, We have log which have 5 different timestamp. I am trying to use custom datetime.xml created using splunk train dates cmd but it is not working. Different Timestamps 2018-01-05_18:15:42.208...
View ArticleTrying to filter ESXi before being indexed
Not sure if this is possible on a single server instance of a Splunk setup but I have all my ESXi logs forwarding to my Splunk server over TCP:1514. I did some digging and found references to the...
View Article