How come I can't override _time with props?
Using an HTTP event collector on a heavy forwarder, I receive JSON that comes in as follows: { "env": "prod", "org": "xxx", "percentile": "95", "proxy": "xxx", "region": "europe-west1", "target":...
View ArticleCan you help me with a problem extracting XML?
I've scoured Google and Answers, but my XML looks a little different than most I've seen so far:BatchNameGOCLM36962920190214001_19045SCLM000018GUIDph_TemplatephEmp_Template-Initial –...
View ArticleHow do you set the props.conf file to read gz files in Splunk?
Hello, I have gz files on a Windows server that I am monitoring using a universal forwarder and sending it to heavy forwarder --> Indexer But The data indexed in Splunk is not in a readable format,...
View ArticleCapture and parse incoming Source IP's from Heavy Forwarder receving incoming...
I have a heavy forwarder that is capturing incoming logs from thousands of Linux hosts. The hosts are sending their OS logs. As known, Linux logs do not identify themselves with an IP in their log...
View ArticleCapture and parse incoming Source IP's from Heavy Forwarder receiving...
I have a heavy forwarder that is capturing incoming logs from thousands of Linux hosts. The hosts are sending their OS logs. As known, Linux logs do not identify themselves with an IP in their log...
View ArticleCan you help me with some weird search behavior with SEDCMD?
Hello, I'm monitoring a single file on my Linux machine with Splunk, `[monitor:///...]` in `inputs.conf`. As I need to replace some specific strings, I'm using `SEDCMD` in `props.conf`. It looks to be...
View ArticleWhen adding "KV_MODE=none" to props.conf, how come unwanted field extractions...
I am looking for assistance with unwanted fields extracted automatically. I am using a custom sourcetype that I added with a field extraction based on regex. This regex extracts four fields:...
View ArticleProcess of Indexed Extraction Configuration
Hi All! I'm currently running into a very weird situation with a Splunk instance I inherited. I setup the props.conf through the UI on my dev instance by indexing a small number of events and then...
View ArticleCisco Config Regex
Before I begin work on what is likely to be a multi-day excursion, I wanted to see if this has already been done. I am importing Cisco switch and router startupconfigs into Splunk in hopes of setting...
View ArticleWhy can't I see any results while searching a search-time extracted field value?
I have a search-time extracted field defined in props.conf: [foo] EXTRACT-fields = msg=\".{20}(?.{6}) The sample log: Wed Feb 27 17:12:03 EST 2019 msg="020202P032929055801 FINDME I can see "FINDME" as...
View ArticleHow to remove header of a log?
as I edit props.conf & transforms.conf to remove header of log , but it didn't work here is my config: props.conf [sourcetype] TRANSFORMS-skiphdr= setnull transforms.conf [setnull] REGEX = DEST_KEY...
View ArticleSplunk_TA_aws - guardduty Time parsing.
The raw data looks like: ... blah, blah, blah ... "detail-type": "GuardDuty Finding", "time": "2019-03-14T14:40:39Z"} On our Heavy Forwarder I've setup in Splunk_TA_aws/local [aws:kinesis] TIME_PREFIX...
View ArticleField extraction transformation not working in conjunction with data...
I'm trying to minimize the amount of data from Kubernetes JSON events that are being indexed into my Splunk instance. Rather than having the whole JSON which includes headers and mostly unimportant...
View ArticleExtract field across multiple sources in different context
Hello Splunkers, I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype. The first logs...
View ArticleWhy is the field extraction transformation not working in conjunction with...
I'm trying to minimize the amount of data from Kubernetes JSON events that are being indexed into my Splunk instance. Rather than having the whole JSON which includes headers and mostly unimportant...
View ArticleWhat should be the deploy location for props.conf shcluster?
I have a props.conf I want to make it available to all search apps on the searchhead. what location should it be placed into on the search deployer to make it available?
View ArticleCSV Source not getting field headers.
What am I doing wrong? I am trying to get fields from a csv. I imported one csv file into a standalone Splunk server using the "add data" GUI. It picked up the header and displayed the fields...
View ArticleLINE_BREAKER breaks every line
Hello! I have two log's I'm battling with onboardining. The first loga.log is in the following format: [0m02-21 07:49:08,449 ContainerBackgroundProcessor[StandardEngine[jboss.web]] [/] [ERROR] [31m...
View ArticleHow to extract timestamp for one index out of multiple index which having...
Hi All, Could you please let me know how to extract _time for from fields for one index out of multiple index which using one sourcetpe ? like having indexes a,b,c,d,e and sourcetype =s1 ,here time...
View Articlewhy LINE_BREAKER in props.conf not working ?
I am using SNMP modular input (snmp_ta) for getting the SNMP logs into Splunk. The snmp_TA is installed on Heavy Forwarder and following props.conf is configured in /opt/splunk/etc/apps/snmp_ta/local...
View Article