How do I only index events within a log that start with a specific series of...
Hello all, I am trying to index a subset of a very painful log which has header and footer noise and whose events start with the same set of characters. Here is a simplified version of the log:...
View ArticleHow do I configure my sourcetype to deal with a log that creates events with...
Hello all, I have a structured log that doesn't contain a headers but contains fields with a fixed lengths. Here is a simplified example that considers 4 fields with names `exit_code`, `id`,...
View ArticleHow to write parsing configuration for json file?
My log contains multiple {} data structure and i want to get all json field inside extracted field in splunk . How to parse? { [-] service: [ [-] { [-] name: xxxxx id: xxx } ] Filename: xxx dest: xxx...
View ArticleHow to exclude field with null value
I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the...
View Articlewhat will be regex for timestamp format 2019-11-06T03:30:27+00:00?
what will be regex for timestamp format 2019-11-06T03:30:27+00:00? I am getting error during indexing the data file.
View ArticleHow can I limit my collection of DNS data using STREAM to a single domain name.
I currently have stream collecting DNS from our DNS server. I also have some DNS forwarder that I have been requested to capture any query or responses to a particular DNS name. I though I could just...
View ArticleWhy is line breaking not consistent on Tomcat logs
I've written for below props.conf and placed in etc\apps\\local. I'm getting sporadic results and lines are being chunked together. Any help would be greatly appreciated. [tomcat:jackrabbit:log]...
View ArticleReplacing backslash not working in SEDCMD after re-directing through...
Hi, I am trying to escape backslash character from json data. It works when I apply SEDCMD definations in props.conf soucetype - mysrc. But when I re-direct the definations to transforms.conf...
View ArticleAbout deployment-apps
Hi, all. I have a cluster environment. (1 search head, 2 indexer) I want to change the character code of the data. So, I rewritten and reloaded props.conf of the application under deployment-apps of...
View ArticleIndex gzipped files without .gz extension
Hi, I am trying to index gzipped files that do not have the .gz extension on a window universal forwarder. First I got the following messages in splunkd.log: 11-18-2019 15:06:33.698 +0100 INFO...
View ArticleIs it possible to ingest XML?
It is 2019 and there is still not a comprehensive Splunk Answer or Documentation on how to ingest XML. Can someone explain to me how to configure props to ingest removedremoved ... many more attributes...
View Articlehow can we add new fields to proxy logs
Hi, Currently i'm using SplunkAppForBlueCoatProxySG app which is working as expected. My user wanted to add few more additional fields for proxy logs. We tested by adding only one new field at the END...
View ArticleBREAK_ONLY_BEFORE not working with XML input
Hi, I have an XML file input with the following form: In order to extract fields, I want to split this input to one event per each record. to do this, I tried this in props.conf: [sourcetype_name] .....
View ArticleHow to remove the Windows message description
Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to...
View Articlehow to set timestamp format for each event in a log file?
Here is the scenario. We have a log file that comes in that we do some modification on the sourcetype to set it based on the lines in the event. We are doing this using props and transforms. I am...
View ArticleHelp Masking a field value from raw events that shows in multiple patterns
I'm trying to mask a field value for a policy number that is present in my raw logs under different patterns. To explain I'm using a field extraction : EXTRACT-policyNumber = policy.*(-|=)\s(?P\w+)...
View ArticleHow to mask a field value from raw events that shows in multiple patterns
I'm trying to mask a field value for a policy number that is present in my raw logs under different patterns. To explain I'm using a field extraction : EXTRACT-policyNumber = policy.*(-|=)\s(?P\w+)...
View ArticleHow to dynamically route logs uto multiple indexes and sourcetypes based on...
Hi, I am working on OS log onboarding data under multiple hostname folders and these hostname folders are located at same file path. My plan is to dynamically onboard these logs to indexes based on...
View ArticleIngest only rows containing certain text from log file
Have a very large log file (20,000+ lines per log file) and I only need the rows that contain "tell_group.pl" in them. Some start the line with that text, others have a "+ " before it. Hoping to build...
View ArticleHelp filtering data to nullQueue
I'm trying to filter out unwanted data but it's not working using my current stanzas in props & transforms. However, I was able to filter using the regex and reset the sourcetype so that should...
View Article