How do you write a Regular expression in props.conf for only one field?
Hi All, How do I write a regular expression in props.conf for only one field ? like rex field=ab "regex" thanks Rakesh
View ArticleAny way to determine the rendered configuration as applied to a specific source?
`splunk btool` is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there...
View ArticleRegex in transforms.conf for source in props.conf not working for one of...
I'm trying to use a regex in a transforms.conf file on the Indexer to prevent indexing of informational and debug messages in specific files. The messages are in this format: 2018-11-30 13:10:55,474...
View ArticleHow do you determine the rendered configuration as applied to a specific source?
`splunk btool` is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there...
View ArticleWhy is my regex in transforms.conf for source in props.conf not working for...
I'm trying to use a regex in a transforms.conf file on the Indexer to prevent indexing of informational and debug messages in specific files. The messages are in this format: 2018-11-30 13:10:55,474...
View ArticleHow come my regexes are working in props source matching?
Splunk Enterprise 6.5.4, with dedicated indexer and search head clusters, using config such as this: transforms.conf: [set_configured_sourcetype] REGEX = . FORMAT = sourcetype_configured::1 WRITE_META...
View ArticleHow come my regexes aren't working in props source matching?
Splunk Enterprise 6.5.4, with dedicated indexer and search head clusters, using config such as this: transforms.conf: [set_configured_sourcetype] REGEX = . FORMAT = sourcetype_configured::1 WRITE_META...
View ArticleWhat are the best practices for defining source types?
I've heard that using Splunk's default source type detection is flexible, but can be hard on performance. What is the best way to define source types that keeps performance speedy?
View Articlemultiple replace in field
Hello, I extracted a field like this: folder="prova^1.ED56GH" and I want to change it at search time replacing all dots with "/", and then all ^ with dot. In the example I will obtain:...
View ArticleCan you help me create the regex to replace multiple characters in the...
Hello, I extracted a field like this: folder="prova^1.ED56GH" and I want to change it at search time by replacing all dots with "/", and then all ^ with dot. In the example I will obtain:...
View ArticleCan anyone help me configure props.conf and transforms.conf to parse the...
Hi, I have a logfile which looks like this: 2018-12-06 02:53:18 * [13396] PASSED: ftp file X20181206025051227_XXXTracking.csv renamed to 20181206025051227_XXXTracking.csv 2018-12-06 02:53:18 * [13396]...
View ArticleDo we need props.conf on the indexer when indexing a csv file?
We use the following `props.conf` for csv files - [] disabled = false SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = CSV FIELD_NAMES = TIMESTAMP_FIELDS = TIME_FORMAT = We place it on the forwarder - do...
View Articleoverride source field to a common source using transform.conf and props.conf
Hi I want to have a common source field for all my syslog. I have centralized syslog server where I am running splunkforwarder to send all remote hosts logs to splunk. currently source filed is default...
View ArticleLineBreakingProcessor - Truncating line because limit of 10000 bytes has been...
Hi Team, I am using Splunk 7.1.1 and i have been getting this error constantly **LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded** As per various splunk answers i...
View ArticleWhy am I getting the following error from the LineBreakingProcessor:...
Hi Team, I am using Splunk 7.1.1 and i have been getting this error constantly **LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded** As per various Splunk answers,...
View ArticleAfter using an SED command in props.conf, how come our query with the replace...
Hello, I have one of the field in Cyberark which has a special character. Retrieve [File Monitor [FW] end Monitor [FW] start Monitor [DR] end Monitor DR] start Open File Set Password Logon Logoff...
View ArticleSelect the contents of the key-values fields from the string
Hi! There is a log with such records: Dec 17 10:08:38 10.52.137.1 Apr 3 22:46:57 2012 930-RTR-944 %%10SSH/6/SSH_LOGIN(l): -DevIP=10.52.137.1; STEL user monitor (IP: 192.168.181.94) logged in...
View ArticleWhere do I exclude data from input?
Hi, I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation. I have a server class (_server_app_PIA_App_Servers) that...
View ArticleGetting rid of unwanted events
Hi, I am trying to get rid of 2 events from a XML file I am trying to ingest, I am editing the transforms.conf to send 2 events to the null queue, the 2 events I am trying to get off are the and (an...
View Articlewhat is _meta in DEST_KEY field in transforms.conf and what it does and where...
i made whole transforms.conf and prop.conf for a data in splunk and analyse FORMAT in transform.conf with $0 and without it but nothing changes had reflected
View Article