How to index the same set of logs and route them to 2 different indexes, but...
Hello fellow-splunkers! **Problem Statement** - My logs have INFO, WARNING and DEBUG log entries. The DEBUG log entries have customer-specific information which I wouldn't want to expose to a wider...
View ArticleHow to extract the same fields from multiple log formats?
Hi, I have a 3 different log files and there are 8 different formats in them. All formats have the same fields in them (cpu,memory etc.) and regex is similar. Hence, based on the system name, I should...
View ArticleIf I have a thousand hosts logging under CST timezone, how do I override this...
I have hosts (*.xyz.com) set to log under CST. Now i have couple of boxes out of thousand (ABC.xyz.com and ABC1.xyz.com) to log under Eastern time zone. How can i override this in Props ? Existing...
View ArticleWhy am I unable to capture an accurate timestamp from a CSV field in the...
We're collecting logs which have the timestamp in the middle of the log message, which is also in GMT. I'm trying to define the pattern for the timestamp and tell Splunk to treat it as GMT. I've...
View ArticleWhy am I unable to extract fields from multiline events with my current...
Hi All, I am trying to extract fields from multiline events which were injected from our server to Splunk. We have our events as below where each event starts with time stamp and all the below events...
View Articlecan multiple sourcetypes stanza's in a props.conf - point to one single...
Hello Splunk Community, Does this seem logical below? I am unsure if ASCII precedence is in play when I use the below logic? See Props.conf and then transforms.conf below that. Thank you in advance....
View ArticleHow to configure props.conf TIME_FORMAT to recognize 2 variations of a...
I have a log that has time expressed like this `20151218111015`. So that would be December 18th, 2015 11:10:15. However, sometimes it doesn't have the seconds. So, the props.conf TIME_FORMAT could be...
View ArticleImporting txt files, how do I configure props.conf so "£" characters do not...
Below is the format and I want to import. The data is showing `\xA0` where there should be a `£`. Please can you send through some recommended settings for props.conf? Date:\xA001/12/2015...
View ArticleHow to set and configure the sourcetype to format events written to Splunk's...
I'm having issues when writing events to Splunk's HTTP event collector. We have a good amount of existing queries that may need to be rewritten if this cannot be successful. The problem occurs when the...
View Articleslow "command.search.kv" phase
I have slow searches on one particular index, which is receiving apache access.log files. When I inspect my jobs, I see a very long "command.search.kv" phase. I guess I made a rookie mistake on the...
View ArticleHow to Timestamp Events
I have an index which is not timestamping the events. I looked in the Docs and it said I have to define it in my props.conf If this is true, can someone help me with the correct stanza? Here's what a...
View ArticleWhy are DAT files not being read with my current monitor configurations?
Hi, I have configured an app being pushed from deployment server to a remote Windows host to read DAT files. Links already referenced:...
View ArticleHow to use a lookup with wildcard based fields to search for matching field...
Hi all. My scenario is: 1) lookup table with fields 3 fields msgId,msg,critical SHK5*,*BLABLABLA*,yes 2) events/incidents should be enriched with the field **critical** in case BOTH fields of the...
View ArticleSplunk Enterprise Security: How to drop all events on Exchange servers except...
We run a few Exchange servers and we need to collect logs for our Splunk Enterprise Security Suite, however, there are many webapps running on an Exchange server, we want to trim the logs we collect to...
View ArticleAfter deploying an app with a sedcmd stanza in props.conf, why is my data not...
Hi, I want to anonymize sessionid information from weblogs =. I use a deployment server to push out an app with the log files we are tailing. In that app, I have a props.conf with the following line:...
View ArticleCan I use the parameters "BREAK_ONLY_BEFORE=\d+:\d+\d+" and...
Can i use these two lines in a single props.conf BREAK_ONLY_BEFORE=\d+:\d+\d+ BREAK_ONLY_BEFORE_DATE=true
View ArticleEvents not breaking correctly - using mv-add
Hello Splunkers. I'm helping a client to find out why some of his events are not being broken correctly. They are currently running a Search Head Cluster with 3 SHs, 2 Indexers, 1 Master Cluster and 1...
View ArticleCan I use the parameters "BREAK_ONLY_BEFORE=\d+:\d+\d+" and...
Can I use these two lines in a single props.conf? Will it work? BREAK_ONLY_BEFORE=\d+:\d+\d+ BREAK_ONLY_BEFORE_DATE=true
View ArticleHow to change the path Cisco Security Suite reads data from, and can we edit...
Hi everyone, What I want to do using Cisco Security Suite is to show data on my dashboard using a custom log file. I do not want to touch the real server that is already functional and set up...
View ArticleHow do I edit my current inputs.conf and props.conf for proper monitoring,...
Sorry newbie questions. I have been looking at trying my hand at customizing the setup, instead of using the GUI. These are from things I have tried and read in the docs. The idea would be to set up...
View Article