Getting Data In

Bro Logs: How can I remove fields that an analyst accidentally created, and how do I fix a parsing error?

nb1030
New Member

I have an analyst that was playing around trying to extract a new field. Unfortunately, he used the delimiter function and instead of backing out of it, he saved it. So on top of the normal fields being parsed out, I have over 60 fields called field1, field2, field3, etc. How can I go about removing these? Also, a second part to this question, I have bro_http logs coming in and the contain a "version" field. This field is not being parsed out, instead, everything being parsed out has shifted to the left by one field (i.e. instead of version being 1.1, the version is showing the user_agent information, which should be in the user_agent field one field to the right)? What file can I update to ensure it is parsing out the version?

0 Karma

hardikJsheth
Motivator

The user has done search time extraction and you need too remove it. You can delete unwanted configuration from props.conf files and transforms.conf file . It will be inside the local folder of the app where user was performing extraction.

0 Karma

nb1030
New Member

I was able to find the correct transforms.conf file and fixed my parsing issue. I am still having a difficult time finding the props.conf file to remove the search time extraction. He did it from the search&reporting app. When I look under the search app, the props.conf file only shows EXTRACT-fields = (?i)^(?:[^ ] ){2}(?:[+-]\d+ )?(?P[^ ])\s+(?P[^ ]+) - (?P.+)....Is this what I should be removing? If so, when I commented out the line, it did not get rid of the fields.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...