Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Bro Logs: How can I remove fields that an analyst accidentally created, and how do I fix a parsing error?

nb1030
New Member
‎11-06-2017 08:14 PM

I have an analyst that was playing around trying to extract a new field. Unfortunately, he used the delimiter function and instead of backing out of it, he saved it. So on top of the normal fields being parsed out, I have over 60 fields called field1, field2, field3, etc. How can I go about removing these? Also, a second part to this question, I have bro_http logs coming in and the contain a "version" field. This field is not being parsed out, instead, everything being parsed out has shifted to the left by one field (i.e. instead of version being 1.1, the version is showing the user_agent information, which should be in the user_agent field one field to the right)? What file can I update to ensure it is parsing out the version?

0 Karma
Reply

hardikJsheth
Motivator
‎11-06-2017 08:51 PM

The user has done search time extraction and you need too remove it. You can delete unwanted configuration from props.conf files and transforms.conf file . It will be inside the local folder of the app where user was performing extraction.

0 Karma
Reply

nb1030
New Member
‎11-06-2017 10:19 PM

I was able to find the correct transforms.conf file and fixed my parsing issue. I am still having a difficult time finding the props.conf file to remove the search time extraction. He did it from the search&reporting app. When I look under the search app, the props.conf file only shows EXTRACT-fields = (?i)^(?:[^ ] ){2}(?:[+-]\d+ )?(?P[^ ])\s+(?P[^ ]+) - (?P.+)....Is this what I should be removing? If so, when I commented out the line, it did not get rid of the fields.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...