Getting Data In

props/transforms.conf

dbcase
Motivator

Hi,

I have the below data and I know that props and/or transforms.conf need to be modified to have the below report as 1 event. I'm not that familiar with how props/transforms.conf work since we have Splunk Cloud and have never modified them.

Premise= 135019
Name= Front Door
    IP= 172.16.12.103
    ID= 1
    Mac= E8:F2:E2:2D:CB:73
    FW Ver= 0.9.2.1708101
    Manufacturer= LGInnotek
    Model= Titan
    Video Size= LARGE
    Verified= true
    RSSI= -79 dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
    MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
    API Version= 3.3.7
    MotionTurnedOn= true
    MotionSensitivy= 1 (LOW)
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Assuming your logs always starts with Permise=.., try this

props.conf on Indexer/HF

[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming your logs always starts with Permise=.., try this

props.conf on Indexer/HF

[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
0 Karma

solarboyz1
Builder

In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="

[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...