https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434828#M6243 <P>I changed the question to include some sample events.</P> Wed, 08 May 2019 07:22:39 GMT tdthorwald 2019-05-08T07:22:39Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434824#M6239 <P>hello,</P> <P>I am currently testing Splunk, with a single instance on a VM.<BR /> I have some trouble getting information out of logs correctly.<BR /> The log I am analysing has the following fields: <BR /> Time Stamp, Action, Source, Destination, Translated, Source, Translated Dest, Duration, Bytes Sent, Bytes Received, Application, and Reason.<BR /> some sample data:</P> <PRE><CODE>======================================================================================================================== Entire Traffic Log list Current system time is Thu, 25 Apr 2019 09:38:19 ======================================================================================================================== Time Stamp Action Source Destination Translated Source Translated Dest Duration Bytes Sent Bytes Received Application Reason 2019-04-25 09:38:19 Permit 10.11.100.139:49573 192.168.3.2:9090 10.11.100.139:49573 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit 10.11.100.104:52934 &lt;public IP&gt;:443 &lt;public IP&gt;:30233 &lt;public IP&gt;:443 0 sec 0 0 HTTPS Creation 2019-04-25 09:38:19 Deny 10.10.1.50:60239 &lt;public IP&gt;:443 0.0.0.0:0 0.0.0.0:0 0 sec 0 28 HTTPS Traffic Denied 2019-04-25 09:38:19 Permit 10.11.100.139:49572 192.168.3.2:9090 10.11.100.139:49572 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit 10.11.100.133:50622 &lt;public IP&gt;:443 &lt;public IP&gt;:32209 &lt;public IP&gt;:443 0 sec 0 0 HTTPS Creation 2019-04-25 09:38:19 Permit 10.11.100.139:49571 192.168.3.2:9090 10.11.100.139:49571 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit 10.11.100.39:51561 &lt;public IP&gt;:443 &lt;public IP&gt;:57732 &lt;public IP&gt;:443 0 sec 0 0 HTTPS </CODE></PRE> <P>That's the first few lines of the log.<BR /> I have replaced public IPs with <CODE>&lt;public IP&gt;</CODE> for obvious reasons.</P> <P>When I try to transform all these so I can select on them more easily, I run into errors.</P> <P>What is the best way to get the data out?</P> <P>I guess I have to change a props.conf file. How do I find the one that contains the sourcetype I created?</P> Tue, 30 Apr 2019 08:39:33 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434824#M6239 tdthorwald 2019-04-30T08:39:33Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434825#M6240 <P>your question/problem seems to be very generic. would be good to put the actual event message etc.</P> <P>So at which point you stuck?<BR /> 1. Are you able to index data into Splunk? Check if inputs.conf is correct<BR /> 2. Did you specify the indextime settings correctly? (ie. timestamp, source, host, sourcetype, line break etc.) all within props.conf<BR /> 3. Once (1) and (2) is complete, ensure you extract all basic things like sourcetype, time etc.</P> Fri, 03 May 2019 21:22:57 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434825#M6240 koshyk 2019-05-03T21:22:57Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434826#M6241 <P>Hello Koshyk,</P> <P>1) The data goes into Splunk fine.<BR /> 2) Yes. the line break is fine.</P> <P>Even Sourcetype, time, source are extracted correctly. But an event is just that, an event. I cannot select on sourceIP, or protocol. <BR /> I can select <EM>a</EM> sourceIP from any event, but not <EM>all</EM> SourceIPs, because Splunk does not see them as key/value pairs. It only sees the default key/value pairs.</P> <P>My question is: where do I define them? in the inputs.conf file?<BR /> If I look for "inputs.conf" I get 26 hits (the VM is both Indexer, UF ánd SH...)<BR /> In <STRONG>SPLUNK\etc\system\default** the sourcetype I configured does not appear in either **inputs.conf</STRONG> or <STRONG>props.conf</STRONG>.</P> Mon, 06 May 2019 07:52:39 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434826#M6241 tdthorwald 2019-05-06T07:52:39Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434827#M6242 <P>you need to provide sample events and we can write the props.conf for you</P> <P>these settings are normally in props.conf with sometimes, (for complex extractions) transforms.conf</P> Mon, 06 May 2019 07:57:25 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434827#M6242 koshyk 2019-05-06T07:57:25Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434828#M6243 <P>I changed the question to include some sample events.</P> Wed, 08 May 2019 07:22:39 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434828#M6243 tdthorwald 2019-05-08T07:22:39Z https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434829#M6244 <P>I updated the question with an example... <BR /> Can anyone help me?</P> Tue, 28 May 2019 13:46:01 GMT https://community.splunk.com/t5/Knowledge-Management/Testing-uploaded-Check-Point-files-and-granularity/m-p/434829#M6244 tdthorwald 2019-05-28T13:46:01Z