Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I find out which props/transforms does the Message field extraction?

danielbb
Motivator
‎05-19-2021 07:09 AM

The Message field of wineventlog is being handled by the default configurations or of the TA and I would like to change it but I can't find out which props/transforms do the current extractions.

The Message field is of multiple lines and the extraction, at the moment, is applied on each line, extracting the name, value pairs separated by a colon.

In the case of Avecto, we see within one line multiple name value pairs and the pairs are separated by commas.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

aasabatini
Motivator
‎05-19-2021 07:24 AM

Hi @danielbb 

 

did you try to use btool option?

splunk btool props list --debug

anyway I share the documentation

https://docs.splunk.com/Documentation/Splunk/8.2.0/Troubleshooting/Usebtooltotroubleshootconfigurati...

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

danielbb
Motivator
‎05-19-2021 07:31 AM

I ran -

splunk btool transforms list --debug  > /tmp/transforms.all
cat transforms.all  | grep -i '$1::$2'

The second one returns 29 lines and I would like to know which one is being applied.

0 Karma
Reply

aasabatini
Motivator
‎05-19-2021 07:43 AM

Hi @danielbb 

usually the conf files have this priority

  • App directory, local has priority over default
  • System directory, local has priority over default.

Now I don't know where are located your conf files but generally if is present on the local app the conf file have a priority.

anyway I share this interesting article

https://medium.com/splunkuserdeveloperadministrator/splunk-configuration-files-precedence-explained-...

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma
Reply

danielbb
Motivator
‎05-21-2021 12:49 PM

I can't find out where Message is being processed for WinEventLog. I scanned props and transforms with btool and can't find it.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...