how to use mvexpand in props.conf
I am trying to put mvexpand in props.conf but i am not getting how to do .Is there any alternative ?
View ArticleProps.conf regex question
We are ingesting Exchange message trace logs and the username is not being pulled correctly. Reviewing the default/props.conf file I see the following field extraction: EXTRACT-user =...
View ArticleReview this method for exchange message trace and regex
We are ingesting Exchange message trace logs and the username is not being pulled correctly. Reviewing the default/props.conf file I see the following field extraction: EXTRACT-user =...
View Articletransforms.conf and props.conf for replacing/substituing values in data that...
I want to replace/substitute the string value in the raw data with new string value. I have successfully done the substitution using props.conf (SED-cmd) But now I need to do the same with...
View ArticleProps.conf extract not working
Hi folks, Recently onboarded a new sourcetype configured with search time extractions. Regex works when tested on sample data, however at search time, about 400 fields are extracted which are complete...
View ArticleRegex in props.conf doesn't work
Our application logs events to the Windows application events with custom SourceNames. Need help to extract the fields using the props and transforms. I am able to extract the fields search time using...
View ArticleTruncate in props.conf
what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf. Also, is there any problem cases with...
View ArticleUnable to line break
I have a log file with the following lines; 2019/07/08 11:40:01 mess5 list_frozen_.sh mess5b stream 125 is Frozen. 2019/07/08 11:40:01 mess5 list_frozen_.sh mess5b stream 126 is Frozen. 2019/07/08...
View ArticleIngest XML files, fields not being created
Hi, i am trying to ingest XML files and split the elements in fields, my log files are; 1756960220404917569602404049 and from other questions my props.conf and transform.conf are below props.conf [pms]...
View ArticlePossible to extract same value from different fields in props.conf?
For Exchange message trace logs I am extracting the user as following in the props.conf file: EXTRACT-user = "RecipientAddress":"(?\S+)@ I would also like to extract the user from the SenderAddress as...
View ArticleDuplicate Host Field from JSON Event
Hey there, we are pumping millions of Zabbix events in to our splunk environment over a Heavy Forwarder. The events are JSON string like this:...
View ArticleHow to line break at indent
I'm trying to split log4j Java exceptions. I need to split a large event into smaller events where an indent does not occur, except when there is a "caused by" clause. I know that I need to edit...
View ArticleSplunk Cloud - How to change props.conf, transforms.conf, index.conf
Hi, I am on trial version of Splunk cloud where we are provided just with the splunk endpoint. In Splunk Enterprise Trial on AWS marketplace, we actually can SSH into the machine and change props.conf...
View ArticleSplunk Cloud - How to change props.conf, transforms.conf, and index.conf?
Hi, I am on trial version of Splunk cloud where we are provided just with the splunk endpoint. In Splunk Enterprise Trial on AWS marketplace, we actually can SSH into the machine and change props.conf...
View Articlefield value is being extracted as fieldname in regex
I am trying to extract xml fields using regex but I am encourtering this issue for this specific tags, It is working with other tags. I have tested my regex in regex101 and it is working properly....
View ArticleIs Splunk's "syslog-host" REGEX in...
In `$SPLUNK_HOME/etc/system/default/` we find this troublesome configuration in transforms.conf: [syslog-host] DEST_KEY = MetaData:Host REGEX =...
View ArticleStandalone transforms.conf stanza (not called in props.conf) without warnings
Hello, In a particular TA, I had to use a standalone transforms.conf stanza : [standalone_stanza] REGEX = (.+?)\:\s(.+?)(?:\\r\\n|$) FORMAT = $1::$2 It is needed because I needed dynamic field name...
View Articlefiltering logs before indexing
I have json type of data and below is the sample events .I want to filter out the events which have the field called event name with vale GetObject i.e . eventName=GetObject sample event 1...
View Articleindex future date events as today's date in _time
I am getting a future timestamped event, but I want to index it as default time of index. i.e. at the time when it got indexed. Presently I have changed > MAX_DAYS_HENCE = 0 in my props.conf. But I...
View ArticleNeed a help on Line Breaking and Time Prefix, Time_Format on props.conf ?
Hi All, Need a help on Line Break Regex and TIME_FORMAT on props.conf, I am ingesting sonarqube logs in to splunk for the below log details with the following source type, but got stuck with the Regex...
View Article