Solved: props/transforms.conf

dbcase · ‎05-23-2018

Hi,

I have the below data and I know that props and/or transforms.conf need to be modified to have the below report as 1 event. I'm not that familiar with how props/transforms.conf work since we have Splunk Cloud and have never modified them.

Premise= 135019
Name= Front Door
    IP= 172.16.12.103
    ID= 1
    Mac= E8:F2:E2:2D:CB:73
    FW Ver= 0.9.2.1708101
    Manufacturer= LGInnotek
    Model= Titan
    Video Size= LARGE
    Verified= true
    RSSI= -79 dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
    MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
    API Version= 3.3.7
    MotionTurnedOn= true
    MotionSensitivy= 1 (LOW)
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720

somesoni2 · ‎05-23-2018

Assuming your logs always starts with Permise=.., try this

props.conf on Indexer/HF

[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT

View solution in original post

somesoni2 · ‎05-23-2018

Assuming your logs always starts with Permise=.., try this

props.conf on Indexer/HF

[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT

solarboyz1 · ‎05-23-2018

In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="

[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=

props/transforms.conf

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life