Where do INDEXED_EXTRACTIONS happen?
I have a Universal Forwarder reading data in a Tab Separated format. I want to apply the `INDEXED_EXTRACTIONS = TSV` to it. Do I need to put that on the Indexer or the Forwarder? A further question is...
View ArticleWhy are my props and transforms.conf not filtering data on the heavy forwarder?
I have a Heavy Forwarder installed which sends the logs to Splunk Cloud. Here's the workflow, please shed some light on this.... UFs-----> HWF ----->Splunk clould indexers -data is flowing into...
View ArticleHow to ignore and stop indexing of timestamps from CSV events? (sent from a...
Hi, I am almost stuck on this for three days now. I am unable to stop indexing of the timestamp from the events. But when I set ` DATETIME_CONFIG = NONE` or `DATETIME_CONFIG = CURRENT`I am unable to...
View ArticleWhy are my props.conf settings not being applied to my data after upgrading...
Here's my local props.conf. [tmweb@app1.splunkdev.jetdev2.syseng.tmcs ~]$ cat /opt/splunk-efr/splunk/etc/system/local/props.conf [default] TRUNCATE=100 TIME_PREFIX = datetime= TIME_FORMAT =...
View ArticleUsing REGEX in Transforms.conf to filter Windows Events
Hi, I'm using the Syslog server to gather all my Windows events, right now, I'm trying to use a Splunk Heavy forwarder to filter off Event ID 5156 and 4768. I have configured both my props.conf and...
View ArticleWhy are my props.conf settings not being applied to my data
Here's my local props.conf. [tmweb@app1.splunkdev.jetdev2.syseng.tmcs ~]$ cat /opt/splunk-efr/splunk/etc/system/local/props.conf [default] TRUNCATE=100 TIME_PREFIX = datetime= TIME_FORMAT =...
View ArticleWhy is my regex in transforms.conf to filter Windows Events on a heavy...
Hi, I'm using the Syslog server to gather all my Windows events. Right now, I'm trying to use a Splunk Heavy forwarder to filter off Event ID 5156 and 4768. I have configured both my props.conf and...
View ArticleWhy is CSV data not getting parsed while being monitored on server with a...
We have a remote server where some CSVs are stored and the directory set to be monitored by Splunk. Now, if I upload the same CSV locally to Splunk (indexer/deployment), it seems like parsing is...
View ArticleSplunk Add-on for CyberArk: I made changes in props.conf for proper multiline...
Less of a question, but just wanted to say Many thanks for this, works like a treat. I found I had to set `UseLegacySyslogFormat=No` in the dbparm.ini to send the priority of the SYSLOG to Splunk, and...
View ArticleHow to configure props and transforms.conf to only index a few fields and...
I tried all the possible things in Splunk, but couldn't index only some part of the file. For example: 2015/11/30 19:00:00 ad32ah req:connection srv:vm1pskndx3 method HTTPS txnid:986218312825 and from...
View ArticleMap Reduce: How do I get around evals with interdependencies in props.conf?
Hey Splunkers, I have a question to throw out there regarding a true map reduce dilemma. I have a props.conf statement that have evals that are interdependent on each other. I have noted that when...
View ArticleWhy are events with timestamps being grouped together in one event?
We see some events with timestamps clubbed together in one event. Changing the props.conf did not help to resolve the issue. Sample: 12/8/15 12:07:53.000 AM [4/20/15 0:07:53:255 MST] 00000017 SystemOut...
View ArticleWhy are my props.conf configurations not merging lines into one event in...
Hello, I have a problem with merging events: I search in this forum's posts and documentation and tried a lot of combinations, but never worked! **My config:** Test environment = Splunk v5 on a single...
View ArticleHow to edit props.conf to collect gz.done files from Blue Coat's proxy FTP...
How to edit props.conf to start collecting gz.done files from Blue Coat's proxy FTP server? Reporter change .gz files to gz.done files. What should I do to start pushing these files via universal...
View ArticleHow do I edit my props.conf for proper timestamp extraction from my sample...
I'm having trouble with a log and getting Splunk to recognize the time format. Here is an example a log entry: 010406:00:530000000000000040RD000001071215 Now, all the entries start with `0104` followed...
View ArticleHow to parse a JSON array delimited by "," into separate events with their...
Sample single event: [{"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.539Z"},...
View ArticleHow to route data from a single input to multiple indexes?
I am using a distributed Splunk Enterprise configuration with syslog data from multiple sources going to a central syslog server with a Universal Forwarder. The syslog sources are from separate...
View ArticleHow to break events on Particular field using Regex or any other process?
Hi All, Below is my event data: Issue 1: 11/11/15 1:26:01.000 PM Job Id, Class Id,"Id","Success","Created","Error","Id","Service_Team_Members_Initials__c"...
View ArticleOracel DB connection Error - ORA-01882: timezone region not found
After going through some of the posts here, I am still facing the same issue. Basically trying to connect to an Oracle DB. Got past the error when I unchecked the "Validate Connection". But when I try...
View ArticleSplunk DB Connect 1: Why am I getting Oracle DB connection Error "ORA-01882:...
After going through some of the posts here, I am still facing the same issue. Basically trying to connect to an Oracle DB. Got past the error when I unchecked the "Validate Connection", but when I try...
View Article