Props and Transforms doubt

splunklearner · ‎11-12-2024

I am pretty new to Splunk and my project is also new. Can someone please explain the configurations given in our cluster manager. We have a syslog server which receives logs from F5 WAF devices and UF in syslog server forwards the data to our cluster manager.

isoutamo · ‎11-14-2024

Hi

Based on these conf files it seems to do next.

Take timestamp from beginning of event and put it into _time
Ensure that lines are not longer than 10000 characters
syslog-host transformation is missing, so I cannot tell what it do!
extract hostname from event and save it into metadata to use on next step
define used index based on hostname (fqdn) on event. Fqdn vs index is defined on that csv lookup file
Change \r\n newline to just \n
Don't generate punctuation for event

More detailed information from those links which @PaulPanther add in his post.

r. Ismo

PaulPanther · ‎11-14-2024

Check out following helpful docs and specifications files 😉

How Splunk Enterprise handles your data - Splunk Documentation

props.conf - Splunk Documentation

transforms.conf - Splunk Documentation

Props and Transforms doubt

field extraction

HTTP Event Collector

JSON

props.conf

syslog

transforms.conf

XML

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?