Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add eval command to props.conf?

btaxacher
Observer
‎10-17-2022 07:51 AM

Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:

btaxacher_0-1666017506075.png

 

I am still very new to the Splunk world and therefore I have no experience with the props.conf file.

I made a copy of the props.conf file in the folder /opt/splunk/etc/system/local and put the command in there (See below).

btaxacher_1-1666017877470.png

 

However, when starting Splunk now  the following message appears:

btaxacher_2-1666017926637.png

 

I suspect I phrased the command wrong or wrote it into the wrong section in props.conf.

Also, it would be interesting to know if the part of the command that brings the events in table form can also be written into the props.conf file and if so into which section of the file?

Many thanks and greetings

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-17-2022 07:58 AM

Hi

I'm not 155% sure what you want to achieve with this?

If you want to modify those events before those are written to buckets then I propose that you should look SEDCMD on props.conf, how to drop away unneeded part of event.

I you just want to format that on search time then probably you should use macro to replace that SPL query? Or just use EVAL-field1 = .... for each of those fields in your SPL on props.conf.

r. Ismo

0 Karma
Reply

btaxacher
Observer
‎10-17-2022 10:58 AM

Hello thanks for the answer,

first of all I am trying to remove certain content from the fields here, for example so that in the field "Datum" the expression "Datum: " is no longer displayed. This is already at the top of the table and does not have to be written again and again in the content of the field.

I have now used EVAL-fieldname in props.conf :

btaxacher_0-1666029426234.png

 

I restarted Splunk and the error message (from above) did not show up anymore.

However,  nothing changes in my search on the web server -> the expressions I wanted to remove are still displayed.

 

In addition, unfortunately, I do not know what is meant by SPL-query and macro.

Many greetings
btaxacher

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-17-2022 10:23 PM

You shoul do those evals one by on, you cannot combine several SPL command into one entry separated with |. Also you should remember the precedence for those EVALs when splunk executes those (ASCII order), so select those names correctly if order is mandatory.

0 Karma
Reply

btaxacher
Observer
‎10-18-2022 12:34 AM

I have now separated the EVALs from each other:

btaxacher_1-1666078466570.png

 

In Splunk, the result of my search still looks like this:

btaxacher_0-1666078451530.png

 


By the EVALs in the props.conf the expression "Datum:" in the event 'Datum' should actually be replaced by " " (a space) ?

 

<

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...