Props and Transforms doubt

splunklearner · ‎11-12-2024

I am pretty new to Splunk and my project is also new. Can someone please explain the configurations given in our cluster manager. We have a syslog server which receives logs from F5 WAF devices and UF in syslog server forwards the data to our cluster manager.

isoutamo · ‎11-14-2024

Hi

Based on these conf files it seems to do next.

Take timestamp from beginning of event and put it into _time
Ensure that lines are not longer than 10000 characters
syslog-host transformation is missing, so I cannot tell what it do!
extract hostname from event and save it into metadata to use on next step
define used index based on hostname (fqdn) on event. Fqdn vs index is defined on that csv lookup file
Change \r\n newline to just \n
Don't generate punctuation for event

More detailed information from those links which @PaulPanther add in his post.

r. Ismo

PaulPanther · ‎11-14-2024

Check out following helpful docs and specifications files 😉

How Splunk Enterprise handles your data - Splunk Documentation

props.conf - Splunk Documentation

transforms.conf - Splunk Documentation

Props and Transforms doubt

field extraction

HTTP Event Collector

JSON

props.conf

syslog

transforms.conf

XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation

Props and Transforms doubt

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.