Props/transforms issue with host extraction and Line breaking
Transforms.conf [force_host_for_testdata] DEST_KEY = MetaData:Host REGEX = server:([^\\]+) FORMAT = host::$1 [force_host_for_testdata_1] DEST_KEY = MetaData:Host REGEX = MQ:\s+([^\\]+) FORMAT =...
View ArticleHow to redirect DB table rows to different indexes based on the field?
Hi, I have below table in my database. Computer Application Duration BLR0057 Calculator 30 CHN0056 MS-Word 43 DEL0078 MS-Excel 55 But I need to forward each row to different index based on Computer...
View Articleextract a string from a splunk event
Hi , Can anyone please give me the props for removing hostname= and path= strings from the below event hostname=ip-10-13-0-248 path=/var/log/armorvox/2018/01/armorvox.2018-01-16.log 2018-01-16...
View ArticleTrying to Anonymise data using SED command
I have been trying out to Anonymise below logs using SED function,but its not wokring, Please find the use case below: **Input:** 10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do...
View ArticlePossible bug in Monitoring Console (Indexing->Inputs-Data Quality->Timestamp...
Hi, I have a logfile that generates exceptions. When there is no exception it just generates event lines with a header and a footer. These events without a timestamp generate timestamp parsing issues...
View ArticleWhy do I have fieldnames in my TSV data
Hello I have configured a monitor for our TSV data but I am getting field names in the data. I believe its because I'm using the "FIELD_NAMES" in my props.conf OR its since these are in the file header...
View ArticleWhy is my props.conf for a specific sourcetype not working as expected?
When placing my props and transforms on my production system, I am not getting expected results. It should be taking sourcetype webseal:syslog, which is ingested from /var/log/messages, and setting a...
View ArticleWhy is my tsv data out of order
Hello We are parsing data from a TSV source The data file has a header that is very long, about 281 columns. What is happening is that we are getting data in the wrong fields. For example: Field:...
View ArticleHow can SEDCMD be used to extract and modify KV pairs from multiline events?
Here is a sample event I am attempting to parse and substitute 'SomeData=.*Transaction Type : ' with 'TxnType=' DT=2018-01-23T14:29:56.456-0800 | AppId=R4 |AppInst=SIMULATOR:201801231429 |LogId=TxLog...
View ArticleWhy is Splunk not showing full JSON data on search?
I have a json file that contains 2000+ lines of data, it looks somewhat like this - [ { "line": 2, "elements": [ { "before": [ { "result": { "duration": 6692500639, "status": "passed" }, "match": {...
View ArticleHow to filter out IPs from being indexed?
I am not good at regex, so I need help filtering some IPs from being indexed. raw event looks like this: `192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"...
View ArticleHelp Using Props and/or Transforms to Mask sensitive field data at index time
I have sensitive data that I'm attempting to mask at index time and I can't quite get the props and/or transforms to work. Please help The sourcetype is : JMRequests props.conf [pw-mask]...
View ArticleDo TRANSFORMS in a source stanza and a sourcetype stanza both apply?
I am thinking of merging a variety of sources being monitored by a Universal Forwarder into a single `sourcetype` for indexing (and later searching) purposes. The sources each have specific...
View ArticleJSON how to break file into single events
Hi Everyone. I am using the API data input with Splunk to collect the following data. The format I'm using is JSON. SAMPLE: { "Meta Data": { "1. Information": "Daily Prices and Volumes for Digital...
View ArticleHow do I replace null values at index time rather than search time?
How do I replace null values at index time rather than search time? Tried adding this to props.conf file but it didn't make a difference. `SEDCMD-replaceblanks = s/,,/,Null,/g` I know I can do a...
View ArticleWhat configuration is required to index a single log with one event only,...
Hi, My query is that Splunk indexer is indexing a single log with two separate events whereas it should be one event only. The issue is that I am receiving two timestamps in a single log and I need...
View ArticleHow to create a dropdown with custom time range?
I am having the field StartDate in the splunk log, My search should based on the startDate field instead of event date. For example, I have the even date as "31-01-2018 09:23:23" and the data as below:...
View ArticleHow to remove binary data from the event in files on a splunk forwarder?
Hi! On a Splunk forwarder (universal) some of the files monitored contain binary data that we do not want to send to the indexers. It seems impossible to prevent the logging applications on the server...
View ArticleAnonymize -p password
I need to anonymize -p passwords that are appearing in syslog. Used props.conf [syslog_log_control] source::/var/log/syslog TRANSFORMS = auth-password-anonymizer transforms.conf...
View ArticleHow to do event linebreaking and timestamp recognition in header lines...
Hi Folks, I am adding data from a log file with filename: server_zmslx1xt1119.log For the timestamp, first 7 lines does not have timestamp and fail to parse and default to filemod time instead of...
View Article