Why is indexed extraction not happening when the data comes via the UF?
Hi, We have a quite a "piggy backed" data coming from a system and extracting as [mysourcetype] SHOULD_LINEMERGE=false INDEXED_EXTRACTIONS=CSV FIELD_NAMES=Date,Time,EmployeeID,EmployeeName...
View ArticleHow to filter the log using REGEX?
I have logs which contains 'LogonType=Owner' and some logs which contains 'InternalLogonType=Owner'. I want to send 'LogonType=Owner' to nullqueue while the latter not, so how can i write regex for it?...
View Articlehelp with props.conf
Hi, I have a xml-like (but not proper xml) feed that I need to parse. A sample is below, and I need to parse out each field. Each field will not necessarily be in each event, so I need a method that...
View ArticleScripted Input - Multi-line Event Issue
I have a scripted input that checks disk space used by directories (--max-depth=1 though!). So example output looks like this: Bytes Path 40395574 /tmp 0 /net 4952729895 /usr 134266341 /dev 9517345...
View ArticleChange Sourcetype Question
Hello. I'm trying to change the sourcetype of ssl_bcoat2 to ssl_bcoat3 whenever an event has a digit that ends in the number 4. For some reason I cannot get this to work, and any help would be...
View ArticleMask a Credit Card from a CSV file using transforms and props files
Hi Everyone, I am new at masking data and I want to mask a field wich corresponds to a TDC from a CSV file. Here are sample of data that is already indexed in Splunk:...
View ArticleWhich props go where when indexing json?
I have json log files that I need to pull into my Splunk instance. They have some trash data at the beginning and end that I plan on removing with `SEDCMD`. My end goal is to clean up the file using...
View ArticleWhy aren't FIELD_NAMES being applied?
Attempting to send a CSV file, but it's a bit messy. I need to remove some entries that aren't formatted correctly, delete the header row, and replace it with my own (hence `FIELD_NAMES`). Data is on a...
View ArticleHelp with props and transforms
Hi, I have a feed where the fields are separated by brackets (<>). I have a transforms.conf that extracts the fields automatically: REGEX = <([^\/][^>]+)>(.*?)<\/[^>]+> FORMAT =...
View ArticleProps.conf Timestamp Not Parsing
Hello, We have events that are being indexed with "index time" timestamps and would like to use the timestamp from the event itself. When i upload the logs to our standalone host, splunk recognizes the...
View ArticleLine break doesn't work
I have following configuration props.conf [Scheduler] NO_BINARY_CHECK = true SHOULD_LINEMERGE = true category = Custom pulldown_type = 1 disabled = false BREAK_ONLY_BEFORE = INICIO REPORTE But line...
View ArticleHow to work around SEDCMD trumping EXTRACT and TRANSFORM
I have events that look like the following: 1pjxVfF7i84nvqrD4p24UVa|2019-05-14 20:41:04.035:[0:T][T1847][PaymentMethodLogoRepositoryImpl][1300][]Fetch logo (consulate_0704c4eb6fb5)...
View ArticleHost transforms not working
Hello All, I have the following props and transfroms **Props.conf** [host::splunk-sh1] TRANSFORMS-vdisyslogs = set_host **Transforms.conf** [set_host] REGEX = [ies|wv|inn].*.mentorg.com DEST_KEY =...
View ArticleI need help parsing my json events
Hello, I'm parsing new json events from a webpage, and none of my prior props worked, I don't know why, it cant recognize timestamp or linebreaker, this is a sample: {"_time":"14/05/2019...
View ArticleWhy does SHOULD_LINEMERGE setting appear to make the date go backwards and...
Splunk noobie here: When I configure my props.conf file like the first snippet I get multiple events showing as a single event. [splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/props.conf...
View Articlefun with sedcmd
Having issues with a sedcmd in my props. When I test this in my dev environment, I see expected results. However, when I apply this to my distributed environment and push it to my indexers, I am not...
View Articleprops.conf for SAP SAL / Splunk thinks it is binary
Hi, my props.conf for reading the SAP Security Audit Log looks like this: [sap:sal] category = Custom LINE_BREAKER=.()2AU CHARSET=utf-16be TIME_PREFIX=2AU. TIME_FORMAT=%Y%m%d%H%M%S SHOULD_LINEMERGE =...
View Articlerex for cef event and create field alias accordingly
sample CEF: May 20 20:44:51 10.XX.XX.XX May 20 2019 20:44:51 avcm02.com CEF:0|AV|Control Manager|7.0|BM:1000|Behavior Monitoring|3|rt=May 20 2019 03:34:47 GMT+00:00 dvchost=AV1 cn1Label=Risk_Level...
View ArticleNot all CSV fields getting extracted
Hi, i have a csv feed with about 700 fields, and it looks like splunk is only auto-detecting about 100 one them. What's very strange is it seems to stop extracting them in the middle, but then the ones...
View ArticleHow to re index the same file within a specified time?
Good afternoon, It is possible to index the same complete file within a certain period of time. Example: I have a configuration file with approximately 2000 lines and 61kb, I needed to index this file...
View Article