how to write the props.conf stanze to test the transforms Regex?
The following is transforms.conf in my search head [a_b] SOURCE_KEY = _meta REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX)) DEST_KEY = _ghi FORMAT = KLMN Now how to...
View ArticleKV_MODE=json sometimes skips a particular JSON field?
We have a log file with multiple lines of JSON similar to this: { "foo": "bar","foo1":"foo2","userEmail":"foo@bar.com"} { "foo": "bar","foo1":"foo2","userEmail":"foo1@bar.com"} { "foo":...
View Articlehow to exclude sending logs to heavy forwarder which ends with a specific...
The following are my transforms.conf and props.conf in my cluster master transforms.conf [send_to_heavyforwarder] SOURCE_KEY = _meta REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) DEST_KEY = _TCP_ROUTING...
View ArticleHow to figure out if forwarders are utilizing props or transforms?
We have Universal Forwarder on our windows servers varying in version from 6.2.3 to 7.1.3. Our Splunk Enterprise version is 7.0.1 (upgrading soon). I was always under the impression that formatting...
View ArticlePlease assist in LINE_BREAKER stanza in `props.conf` for custom app
Dears, I have an app which generates logs in following pattern: ---------------------------------------- Timestamp: 2019-08-23 14:00:01.545 UserLogin: ascache UserId: -1 Severity: Information Message:...
View ArticleWhy is this event splitting into three single events
Hi, Our raw events from mod_security logfile are split into three different events. I've tried multiple settings in props.conf without success. Current config is: [modsec:audit] SHOULD_LINEMERGE =...
View Articlehow to filter the logs when a username field ends with "-TEST"
The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search logtype=SAT (id="ABC-1" OR id="ABC-2") transforms.conf...
View ArticleCan someone explain to me what "category" is used for in props.conf?
All, CAn someone provide me some examples and why I would use categories in my props.conf? category = * Field used to classify sourcetypes for organization in the front end. Case sensitive. Does not...
View ArticleCan someone explain what "category" is used for in props.conf?
All, CAn someone provide me some examples and why I would use categories in my props.conf? category = * Field used to classify sourcetypes for organization in the front end. Case sensitive. Does not...
View Articleindex time not getting captured correctly
[spectrum_alarms] DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_PREFIX = 0x11f4e\"\, \"\$\"\:\ " category = Custom disabled = false pulldown_type = true my data looks like...
View Articlecustom iis sourcetype - field extractions
trying to copy standard IIS field extractions to a new custom sourcetype, however these are not displaying from the indexer cluster. any suggestions? am I missing a transforms in the custom app? looked...
View ArticleCan someone explain the triggers stanza in props.conf?
All, I noticed a [triggers] stanza in an app I Just made with the AppBuilder in props.conf. Anyone have some documentation on this config?
View ArticleBREAK_ONLY_BEFORE_DATE=true is not working
Here is my log sent from an UF to and Indexer: 2019-09-16 09:37:00 Fetching ISS data 'issfiles/sampleFile.tmp' -> 'issfiles/sampleFile.new' 2019-09-16 09:37:04 Fetch of ISS data completed...
View ArticleField extraction and field alliasing not working
I need to rename field and calculate some field as I mentioned below but it not working at all. [Workday] INDEXED_EXTRACTIONS=csv KV_MODE=none MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true...
View ArticleTIMESTAMP_FIELDS for different sources and timestamps using same sourcetype...
Hello guys, TIMESTAMP_FIELDS must be setup in props.conf on indexers side, therefore how to use TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json? Must we define...
View ArticleAnd condition between two different fields in transforms.conf
Hi, I want to filter out Checkpoint events based on two different conditions: 1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field. 2. The action field after...
View ArticleEval condition in props.conf using mvindex?
I have a field which contains 2 values for every event as shown below: Field Name :- Username Example Values :- A,B Now from the above example I have defined 2 extra fields **first_user** and...
View ArticleAnd condition between two different SOURCE_KEY in a stanza inside...
Hi, I want to filter out Checkpoint events based on two different conditions: 1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field. 2. The action field after...
View ArticleUsing And condition between two different SOURCE_KEY in a stanza inside...
Hi, I want to filter out Checkpoint events based on two different conditions: 1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field. 2. The action field after...
View Articleset time zone dynamically based on host name?
I've got 95% of this new input working, but was hoping to also configure the TZ (dynamically) based on the host name value. Would like to set the correct time zone based on the hostname starting with...
View Article