Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs are showing raw, how do I get them to show as highlighted?

bryhoffman
Explorer
‎01-20-2025 07:12 AM

When I click on the raw log and back out of it it shows up as highlighted. How do I default the sourcetype/source to always show as highlighted? I've messed with the props.conf and can't get it.

This only started occur after we migrated from On-Prem Splunk to Splunk Cloud. Before, these logs would automatically show up/parsed in JSON

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

erikwie
Path Finder
‎01-21-2025 01:15 AM

Are you sending the logs directly to Splunk Cloud or thru a Intermediate Forwarder?

An app with props.conf and transforms.conf uploaded to Splunk Cloud is run on the Search Head.
In my cases I had to install the app on the Intermediate Forwarder that sends on-prem logs to Splunk Cloud, when it worked as it had done before migrating to the cloud.

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2025 07:43 AM

Have you migrated/moved those original props.conf from onprem to cloud? If you still have those somewhere just create an app from those and install it into cloud. Of course you must ensure that those have precedence over current configuration in cloud.

0 Karma
Reply
Solved! Jump to solution

bryhoffman
Explorer
‎01-20-2025 07:47 AM

Thanks for the response. Everything was migrated over and is exactly this same as before.

You would think there would be a toggle to always use highlighted syntax since it's already parsing JSON..

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...
Top