How do I make a part of a field lowercase at index-time?
Hello Splunk users, I run Splunk for Postfix, and I have a **props.conf** containing EXTRACT-message_id = message-id\=\<(?[^\>]*)\> EXTRACT-Message_Id = Message-ID\:\s*\<(?[^\>]*)\> I...
View Articlesearchtime field extraction - troubleshoot props.conf
I have certain logs which is indexed correctly. Field extraction using props.conf and transforms.conf works correctly when I am searching within the indexer. However, when I am copying the same set of...
View ArticleIs there a way to find which props.conf and/or transforms.conf file is...
I have certain logs which are indexed correctly. Field extraction using props.conf and transforms.conf works correctly when I am searching within the indexer. However, when I am copying the same set of...
View ArticleSplunk Add-on for Microsoft Windows: Is this a bug with the field alias for...
In file default/props.conf the following aliases are defined: [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] ... FIELDALIAS-severity_for_windows = Type as severity...
View ArticleHow to troubleshoot why props.conf settings did not take effect and an index...
Hi Experts, I dont want to wake up any zombies, hence I create new thread here. I have props.conf file works on my local as follow, however it didnt works on other environment (i.e. SIT). Additional...
View ArticleHow to remove the currency symbol etc. from a field before indexing?
This is what the data looks like in the source file (.csv). Notice the $156.03 09/26/13, 2013 , 09-Sep , Week-39 , Thu , - , 4 ,, $156.03 ,, $156.03 ,100%, $39.01 ,,0:00, 13 , $12.00 , This is what I...
View ArticleHow to configure props.conf and transforms.conf to index logs with a specific...
Hi Experts, I am getting logs / events from an application server to an indexer. I want to index logs with the string "connected to machine" and drop rest all events. Please help me with props.conf and...
View ArticleWhy am I getting error "In handler 'props-extract': Data could not be...
Hello, I had created some custom fields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the custom fields I created. To try to save some time, I copied the...
View ArticleWhy is my props.conf and transforms.conf configuration not filtering out IIS...
Hi, I have the following IIS log: 2015-11-26 11:19:37 10.10.90.36 GET /webpl3/Handlers/ClientState/ClientState.ashx...
View ArticleTime Stamp - Log Delay
Hi Splunk users, I have a problem regarding Splunk showing incorrect timestamps: Splunk pretty much shows me timestamps with a 5 hour delay. If an something is logged in the logs I monitor, it is...
View ArticleWhy am I getting a CSV Parser Error in my Splunk 6.0.x environment for the...
I created a parser for a CSV file which I tested on my local machine (6.3 version) and seemed working fine., but the same setting (props & transforms) is not working in my other environment (6.0)....
View ArticleHow to correlate events from different sourcetypes from different timezones...
Hi, We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in...
View ArticleHow to correct timestamp recognition that is currently skewed due to result...
Hello Splunkers, We have an event coming in from our logs below with this stamp right at the beginning of our logs. That is good... Event TIme Stamp 11/30/15:11:16 AM Unfortunately Splunk gets confused...
View ArticleSplunk Add-on for Infoblox: Why is the event time off for indexed logs in...
We have our InfoBlox appliance set to use UTC. However, Infoblox logs in Splunk are showing as -0400, but they should be -0500. Where do I adjust this? I'm not seeing anything in props.conf that stands...
View ArticleHow to turn on WinEventLog:Security logs only for certain Domain Controller(s)
Due to license limitations, I cannot turn on the security logs for all the Windows Domain Controllers, except for some crucial ones. How can I achieve that? As part of my PoC with only one server, I...
View ArticleWhy are some default fields not being extracted for data coming in via TCP...
I have data incoming via TCP syslog. I have created the following transforms to process them: * etc/system/local/props.conf: [source::tcp:1514] TRANSFORMS-windows = set_sourcetype_snare,...
View ArticleWhy is Splunk log line breaking not working as expected for my multiline events?
Hello I have some multiline events along with normal single line events in a log that is being monitored by Splunk. For some reason, I can't get the multiline event to merge as one event, it always...
View ArticleMoving a search head pooling Windows environment to a Linux environment,...
Trying to get a Windows environment moved into a Linux environment, and having problems finding where props.conf is applied to the data. There's no props.conf in local on the search heads, the cluster...
View ArticleHow do I configure props.conf to recognize the proper timestamp for my logs?
Hello, I have an issue where a small percentage of my logs are coming in dated 2011. I tracked it down to a field called `usernum=*` where some subset of the users account numbers match Epoch time...
View ArticleWhy is Hunk not picking up the iis sourcetype I configured in props.conf?
I created a new virtual index to search against IIS logs (I have an HDFS directory that holds 11 individual logs all formatted for WC3). I selected 'Explore Data', selected the first file, and walked...
View Article