Where to edit props.config for breaking log into multiple events?
I am using universal forwarders to move log data from remote servers to a centralized Splunk Light server. Where do I edit the props.config? On the remote server or on the centralized Splunk Light...
View ArticleSourcetype Inheritance: How to inherit parent sourcetype to child sourcetypes?
Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as `sourcetype=my:application` . But this...
View ArticleHow do I line break after a particular word?
Hello Below is a sample one sample event which starts with ####### and ends with * All done!. How do I break the events correctly? Thanks in advance ####################### Program: FADBDataLoader.pl...
View ArticleNeed help on LINE_BREAKER,TIME_FORMAT and TIME_PREFIX
I have built a props.conf but when I upload the log file manually it works fine but when the app writes the log the line break is not working. Please advise how to make this props.conf working when the...
View ArticleHow to extract the one time header on top of the real header.
Hi, I'm new to splunk and would like some help with tackling my task at hand, - NO INDEX DATE STIME ETIME REP ACTIVITY RESULT ID TYPE PLACE 17892 4/10/2015 14:13:48 14:14:03 15 CYCLE_REP GOOD NONE...
View ArticleOverride sourcetype and redirect to another index
Hi Guys, I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype. So I need events to be...
View ArticleHow can I override sourcetype and redirect to another index?
Hi Guys, I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype. So, I need events to be...
View ArticleWhy are my automatic lookups not working?
Hey Splunk, long time lurker, first time poster. I am attempting to perform an automatic CIDR lookup from a CSV file on a specific sourcetype. I can manually perform the lookup and get data back, but...
View ArticleHow to merge all lines into one single event?
Hi, How can I merge all lines of a config file into one single event? My inputs.conf is: [monitor:D:\CatTools3\Config.Current.Running.ASA-CLI.txt] sourcetype = CatTools:Firewall:ASA-CLI host_regex =...
View ArticleUsing SPATH notation in conf files
Hi guys, I need to uto extract fields and values during search time using **SPATH notation** in props.conf and transforms.conf filles. I know that there are more convinient ways to do that, but I have...
View ArticleWhy is eventtype not tagging 100% of events?
In an attempt to explain this right... We have set up multiple eventtypes to different occurrences. For example: eventtype=major eventtype=warning major works just fine.. When running a simple search :...
View ArticleJSON Regex not working properly
I have a JSON file, which is being indexed by Splunk, the format is like - { testdata : [ { "testid" : 1234, "abc" : "def", "def" : "abc", "httpServer" : [ { "responseTime" : 300, "responseCode" : 200,...
View ArticleWhy is my JSON regex expression not working properly?
I have a JSON file, which is being indexed by Splunk, the format is like - { testdata : [ { "testid" : 1234, "abc" : "def", "def" : "abc", "httpServer" : [ { "responseTime" : 300, "responseCode" : 200,...
View ArticleUnable to read logfile
I am trying to read log file from a server. I have made all the configuration in Splunk but data is not coming in Splunk search. When I checked Splunk internal log, getting permission denied error for...
View ArticleWhy am I unable to read logfiles?
I am trying to read log files from a server. I have made all the configuration in Splunk but data is not coming in Splunk search. When I checked Splunk's internal log, I got a permission denied error...
View ArticleHow to create a regex or rex in a search to extract each line in a log event...
Hi Splunk Gurus - I am new to splunk, need your help on the below. Below is how the events are getting into splunk, every event have multiple lines. Need a REX or REGEX to split every line as...
View ArticleTA Meraki: how do I fix the bug I found in my splunkd.log?
In the props.conf of the TA on line 65 is the following: EVAL-lease_scope = if(len(lease_scope_subnet)=>1,src."/".lease_scope_subnet,null()) Looking through my splunkd.log, I see the below error....
View ArticleTransforms index time field extraction producing unexpected results.
The field extraction works for nearly all events, except for events where the line count is over 450. The returned value of the extraction for such events are about 27 lines long or 2500+ characters...
View ArticleFinding and removing strings in logs from the Forwarder
Hello, I'm trying to send some antivirus logs from the forwarder into splunk. The logs I'm sending have a tendency to spam, for example: 13/09/2018 16:06:53 No usable rule found Blocked...
View ArticleProps.conf - Time transformations
Hello Splunkers, Is there any way how to change/develop/tune/test indexing time transformations (props configurations) without need of restart of a Splunk instance? Thanks in advance! Afroditi
View Article