Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- props/transforms.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
05-23-2018
11:18 AM
Hi,
I have the below data and I know that props and/or transforms.conf need to be modified to have the below report as 1 event. I'm not that familiar with how props/transforms.conf work since we have Splunk Cloud and have never modified them.
Premise= 135019
Name= Front Door
IP= 172.16.12.103
ID= 1
Mac= E8:F2:E2:2D:CB:73
FW Ver= 0.9.2.1708101
Manufacturer= LGInnotek
Model= Titan
Video Size= LARGE
Verified= true
RSSI= -79 dB
Supported Video Formats= [MJPEG, FLV, RTSP]
Supported Video Codecs= [H264, MPEG4]
FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
API Version= 3.3.7
MotionTurnedOn= true
MotionSensitivy= 1 (LOW)
Local Video Aspect Ratio= 16:9
Local Video Resolution= 1280:720
Remote Video Aspect Ratio= 16:9
Remote Video Resolution= 1280:720
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-23-2018
11:51 AM
Assuming your logs always starts with Permise=.., try this
props.conf on Indexer/HF
[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-23-2018
11:51 AM
Assuming your logs always starts with Permise=.., try this
props.conf on Indexer/HF
[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solarboyz1
Builder
05-23-2018
11:44 AM
In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="
[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=
Get Updates on the Splunk Community!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...
