topic Re: Props Conf File in Splunk Search

Props Conf File

SplunkDash — Thu, 05 Aug 2021 21:31:52 GMT

How would I write the props config file for following events, any help will be highly appreciated, thank you!

Re: Props Conf File

isoutamo — Thu, 05 Aug 2021 22:05:08 GMT

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

Re: Props Conf File

SplunkDash — Thu, 05 Aug 2021 22:19:03 GMT

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

Re: Props Conf File

isoutamo — Fri, 06 Aug 2021 06:02:19 GMT

Can you post your current version?

Re: Props Conf File

SplunkDash — Fri, 06 Aug 2021 14:49:26 GMT

7.3.3

Re: Props Conf File

isoutamo — Fri, 06 Aug 2021 18:46:20 GMT

I mean your props.conf and transforms.conf (if you have also it).

Re: Props Conf File

SplunkDash — Mon, 09 Aug 2021 07:19:09 GMT

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

Re: Props Conf File

manjunathmeti — Mon, 09 Aug 2021 08:04:29 GMT

hi @SplunkDash,

You have pipe-separated data, you can also try INDEXED_EXTRACTIONS.

[sourcetype] INDEXED_EXTRACTIONS = PSV FIELD_NAMES = timestamp,context,type,log_level,code,message TIMESTAMP_FIELDS = timestamp SHOULD_LINEMERGE = false

Re: Props Conf File

SplunkDash — Mon, 09 Aug 2021 14:39:55 GMT

.... yes working as expected. Thank you, truly appreciated.

Re: Props Conf File

SplunkDash — Mon, 09 Aug 2021 14:41:39 GMT

..yes working as expected.....thank you so much, truly appreciated!!!

Re: Props Conf File

manjunathmeti — Mon, 09 Aug 2021 14:44:27 GMT

Please accept it as a solution, so it will help others with similar issue.