Why is the Eval on an extracted field explodes number of scanned events?
Hello everyone, Here is a wierd case i just faced. In a props.conf file (on the search head), i extract some fields in a sourcetype : [MySourceType] EXTRACT-MyFields = ... ((?[^#]+)#)?(?\S+) ... Note...
View ArticleWhy is the Index Filter is not working?
I have a filter built from: http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad and...
View ArticleDoes Splunk now support wildcards for props.conf?
I am trying to interpret http://docs.splunk.com/Documentation/Splunk/7.0.2/admin/Attributeprecedencewithinafile In the past we've had to do a hack which was essentially...
View ArticleSplunk Indexing Acting Up
I'm not sure how to describe this problem. But I'm hoping someone can help me. I have a syslog server receiving Router and Switch traffic. When it was just switch traffic everything worked perfectly....
View ArticleHow to filter a large amount of index data being generated by the head index...
I've noticed the head index server is generating an absurd amount of index data and I want to filter it out I have a stanza in props: [host::] TRANSFORMS- = host_setnull and [host_setnull] REGEX = ....
View ArticleHow to mask passwords from splunk logs?
time: 20180227120538 ... 1 line omitted ... changetype: modify replace: userPassword userPassword: {1234} Currently, I am trying under props.conf but it doesn't seem to work. SEDCMD-masking =...
View ArticleCan I modify _time with an attribute in the event?
We are bringing in symatec DLP events and we want _time to have the value of occurred_on. occurred_on comes in like this: February 27, 2018 2:39pm Can I do this as a TIME_FORMAT in props.conf or can I...
View ArticleHow to send Windows events to indexer and also to third-party server (single...
I am trying to send the data from Heavy Forwarder to INDEXERs and THIRD PARTY system (non splunk) but 3rd party system is receiving the logs in Multiline Events (which is not accepted by 3rd party...
View ArticleWhat is the best method of configuring timestamp recognition to support all...
One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition...
View ArticleWhat is the best method of configuring timestamp recognition to support all...
One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition...
View Articlefilter events based on regex and index remaining - props and transforms
Im trying to filter out events based on regex and index the remaining events based on below configs..But it doesn't seem to work...Can someone pls help.. In props.conf [sourcetypename] TRANSFORMS-set=...
View ArticlenullQueue : log discard not working
Hi, I recently experimented with Splunk transformations in order to **discard some log entries** ( and that worked well on my lab setup ) I am now trying to implement such solution on our main **Splunk...
View ArticleIn which props.conf file should I change the MAX_DAYS_AGO setting?
I'm trying to change the MAX_DAYS_AGO value in the props.conf file, but there are a lot of props.conf files so i'm not sure which one to change.
View ArticleWhy is the Null Queue Not Working?
Hello, Here is a sample log event I would like to filter: 20180307 11:11:08.795 [process:flow] [INFO] Thread is returning to available thread pool DM.Appl.ThreadPool Here is current props.conf...
View ArticleHow to rename index in data sent from another splunk instance?
We are receiving data from an external splunk instance. They have indexes A,B,C. When our indexers receive there data it cannot be indexed because we have indexes D,E,F. How can I rename the index for...
View Articlehow transforms.conf and props.conf works?
what is the difference between props.conf and transforms.conf and how its works
View ArticleIs there a way to change the Timezone (TZ) of OLD already indexed data
Dear Splunk Professionals, We have a requirement here to change/correct the TZ settings as few sourcetype are having different TZ and others have different. We have configured TZ wrt [my_sourcetype] in...
View ArticleWhy are the events being cut off at 257 lines in xml data?
Hi, I have xml data that can have up to 500+ lines but Splunk is truncating at 257 lines. I've been trying combinations of LINE_BREAK and BREAK_ONLY_BEFORE, but no luck. I'm not sure if it's my regex...
View ArticleWhy is Splunk ignoring my files?
I have a folder set up on a Linux machine that a Splunk forwarder is monitoring. This folder is set up to receive FTP'd reports from our mainframe. At regular intervals, the mainframe sends a dozen...
View ArticleFailed to remove lines from log files before indexing using SEDCMD command in...
We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf. We are using universal forwarder and we have only one Splunk Enterprise server. Search and Index are...
View Article