How to create a props.conf file for time format
My timestamp is appearing as such: 2019-12-10T18:13:42-05:00 My props.conf file looks like this: TIME_FORMAT=%Y-%m-%dT%H:%M:%S-%:z Is this correct? Some of my indexes are presenting a really strange...
View ArticleStrange data comes out as field values. Same as the source path
I have a strange problem. In the search header, the value of the field created in props.conf is the same as the source path. SH - props.conf LOOKUP-center_tag_dest = ldcc_portal_asset IP AS dest OUTPUT...
View ArticleParsing Meraki CMX API data on props.conf
I'm trying to parse data coming from Cisco Meraki CMX using HTTP Event Collector. The raw data was JSON API. I'm using props.conf [http_json] INDEXED_EXTRACTIONS = json SHOULD_LINEMERGE = false KV_MODE...
View ArticleHelp modifying timezone in props.conf
I need to change the timezone for a host sending logs to our production instance. I have set up a free test instance of Splunk to try this out before making any changes and have been unsuccessful. I am...
View ArticleJSON input not splitting up in single line
I am using API to fetch the JSON logs and sending JSON output to Splunk. Props.conf is on the search head. I am seeing the intermittent issues of not splitting the JSON logs even though I am sending...
View ArticleBest timestamp format
Hello guys, could you confirm Splunk handles best US format (MM/DD/YYYY or YYYY/MM/DD for instance) where month preceding day? Thanks.
View ArticleUniversal Forwarder props.conf and transforms.conf settings
I am trying to get the output from a python script to indexer. So i added transforms.conf and props.conf under C:\Program Files\SplunkUniversalForwarder\etc\system\local transforms.conf...
View Articlesyslog-ng props and transforms conf for ingesting data
Hi! I'm trying to ingest metric data from a Virtual Machine Linux box, using syslog-ng and Splunk Universal Forwarder. It's for an application, so on my windows box I'm trying to make the configuration...
View ArticleHow to set a large log to ingest as one single event?
Been working on this for a week... hence my question now. I have a log that can be anywhere between 3,000 lines or 20,000_ lines. It's an output of a script that takes around 1 minute to complete. It...
View ArticleRegex / Transforms issue.
Hi Regexian Splunkers, I have an event that looks like so: 2020-02-20 20:22:02.202020 test:>"value" test1:>"value1" test2:>"this is a \"test\"" test3:>"this is \"a test\" ok"...
View ArticleValidating timestamp extraction after an update
Hi, I have updated all my instances by updating the datetime.xml file as described here:...
View ArticleIs it better to specify TIME_FORMAT or let splunk automatically determine...
Hey, I am currently doing clean up work on some of the in house TA's build for our environment. We are getting timestamps in a more consistent way on some sources and I was wondering what would improve...
View ArticleIs it better to specify TIME_FORMAT or let Splunk automatically determine...
Hey, I am currently doing clean up work on some of the in house TA's build for our environment. We are getting timestamps in a more consistent way on some sources and I was wondering what would improve...
View ArticleRegex for CIDR exclusion
Hi, Need some help with getting a correct Regex for CIDR exclusion. *(This is an example. Not the real IP range. ) Trying to exclude events that have ips in the 79.40.96.0/22 range. Following is the...
View ArticleHelp with props and regex for index time extraction and adjustment of time zone
A typical Event (which has no line breaks): HOSTVULN: HOST_ID=109436564, IP="10.1.40.106", TRACKING_METHOD="AGENT", OS="Windows 10 Enterprise 64 bit Edition Version 1803", DNS="410-dt-12345-04",...
View ArticleForward filtered logs to indexer and full logs to third party syslog server
Hello, I am currently forwarding logs from uf to HF to idx. What I am trying to achieve is drop windows event with the event code 4674 for example from being sent to idx. At the same time, forward all...
View ArticleFilter events from UF based on source + sourcetype or host
Hello, is it possible to filter events based on sourcetype + (host OR sourcetype) with props.conf/transforms.conf on indexers? Filtering data only based on sourcetype or source could be too wide. Thanks.
View ArticleUnderstanding the relationship between props.conf and transforms.con
I am setting up a specific forwarder to monitor a log file that generates logs for multiple cases, but I only care about one, so I decided to filter the logs when they reach the server by utilizing the...
View ArticleHow to stop processing properties if a condition is met
Is it possible to stop processing properties in props.conf if a condition is met? I've been running a lot of tests with props.conf-transforms.conf and how the indexer performs under different...
View ArticleChanging the sourcetype to remove spaces
I'm working on a TA to process Venafi messages brought in via RestAPI. When I was testing I used hostname in the props.conf file to call the transform to change the sourcetype. I can't do that in...
View Article
