Which regex is the correct extraction for Splunk EPOCH timestamp with decimal...
I have timestamps in my data sources that are EPOCH with fractional microseconds for example: 1547528398.991103 1547528400.021926 I have set up my props.conf with the following: INDEXED_EXTRACTIONS =...
View ArticleChange hostname
Hello All, I have several devices on our network that has one interface/IP address in our DMZ and a management IP address in a securecell. We use the management IP address to send syslogs to a...
View ArticleValue misinterpreted as time
We found the following message in the data and Splunk recognizes it as a timestamp. How can I prevent this interpretation and add it to the event before it? parameters: :I1:=1109002298; thx
View ArticleHow do I add fields to incoming data?
Hi, I'm trying to load a CSV file using the universal forwarder, and there are no headers in the CSV file. How can I give column names to those values in the file? Can I do that at props.conf? I don't...
View ArticleHow come event breaker based on timestamp works when uploading a file but not...
Hi guys, I am trying to index a ProxySQL log file which looks like: ProxySQL LOG QUERY: thread_id="25" username="blabla" schemaname=information_schema" client="10.206.119.24:62462" HID=1...
View ArticleHow do you use a source stanza under props.conf on a universal forwarder?
I'm currently looking at deploying some changes to ease management of input files in our environment. I've confirmed that the only way to bring in multiple whitelisted files, and think them with a...
View ArticleHow do I use props.conf and transforms.conf to filter events based on a key...
Hi All, I have a lot of compressed files in a local directory that I want Splunk to ingest. I set up a directory as an input via the WebUI, but I only want events that contain a key word like...
View ArticleHow do you mask values using SEDCMD in payload emitted in the logs?
I need help in masking data in the payload emitted in the log. The application writes logs to Windows Event logs - Message=[2019-01-29 07:00:24,706] {1302} INFO SomeHelper::SendToDestination -...
View ArticleWhy is the Indexer ignoring my timezone settings?
Hi, I've got a problem that's driving me crazy. There is a source we're reading via a universal forwarder that is the output of a syslog on a whole bunch of servers. This means that some of the lines...
View ArticleHow do you custom line break multi-line logs in props.conf?
Hi, My log file is like this: [#|2019-01-31 11:04:34,712 | ERROR | some data Logging important message |#] In my props.conf(SplunkUniversalForwarder\etc\system\default), I have tried the following...
View ArticleHow do you edit props.conf to correctly parse data from a PowerShell script?
I have a powershell script which feeds data into Splunk via a UDP port. The output of the script is as follows: AbatInstanceID=32107862 AbatBatchID=32107825 AbatPlanName=ABM - Partner Remittance Loader...
View ArticleWhat are the sequence of execution transforms across different stanza and...
Hi, We want to change sourcetype and then send data to two different Splunk Indexers. What is happening is the sourcetype is getting changed (that means first props.conf stanza is working) BUT the...
View ArticleHow come our regular expression is working in search but not configs?
I have a local administrator cataloging script running on local machines (just mine while testing). The message output in Splunk is: ObjectClass=Group Name=DOMAIN\AD-SecurityGroup Now I want to break...
View ArticleHow to extract a multivalued JSON Field based on a certain condition inside...
Hello, I want to extract a multivalued field in a nested JSON event A: [ { [-] file: x type:a } { [-] file: y type:b } ] Here in the above JSON, i want to extract the field named 'file' **if and only...
View ArticleHow do you do an automatic extraction based on the SPL 'extract' command?
Using: index=default sourcetype=my:sourcetype | extract pairdelim="][", kvdelim="=", auto=f Feb 19 09:44:02 foobar Feb 19 2019 09:44:02.322 UTC : [My Port=2000][Device name=MyDevice][Device IP...
View ArticleFilter events for specific keywords
Hi, I have some set of events that has keywords like "inbound message" and "outbound message". the events looks something like this . 2010-02-20 14:12:45.642 | INFO | qtp413909515-1424 -...
View ArticleUsing props.conf on SplunkUniversalForwarder to denote TimeZone
TimeZone specification in props.conf on a SplunkUniversalForwarder instance does not appear to be working for me. - SplunkUniversalForwarder instance version 6.3.2 - Splunk instance (indexer) version...
View ArticleAre there limitations on using the searchmatch() eval function in props.conf?
I have the following eval statement: | eval...
View ArticleWhy aren't my apps props.conf not being exported when using export = system?
My props.conf values are not being picked up by the Splunk search app. I currently have the following stanza set in $SPLUNK_HOME/etc/apps//metadata [] access = read : [*], write : [admin] [props]...
View ArticleCan't override _time with props
Using HEC on an Heavy forwarder, I receive json that come in as follows: { "env": "prod", "org": "xxx", "percentile": "95", "proxy": "xxx", "region": "europe-west1", "target": "ALL", "time":...
View Article