Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs are showing raw, how do I get them to show as highlighted?

bryhoffman
Explorer
‎01-20-2025 07:12 AM

When I click on the raw log and back out of it it shows up as highlighted. How do I default the sourcetype/source to always show as highlighted? I've messed with the props.conf and can't get it.

This only started occur after we migrated from On-Prem Splunk to Splunk Cloud. Before, these logs would automatically show up/parsed in JSON

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

erikwie
Path Finder
‎01-21-2025 01:15 AM

Are you sending the logs directly to Splunk Cloud or thru a Intermediate Forwarder?

An app with props.conf and transforms.conf uploaded to Splunk Cloud is run on the Search Head.
In my cases I had to install the app on the Intermediate Forwarder that sends on-prem logs to Splunk Cloud, when it worked as it had done before migrating to the cloud.

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2025 07:43 AM

Have you migrated/moved those original props.conf from onprem to cloud? If you still have those somewhere just create an app from those and install it into cloud. Of course you must ensure that those have precedence over current configuration in cloud.

0 Karma
Reply
Solved! Jump to solution

bryhoffman
Explorer
‎01-20-2025 07:47 AM

Thanks for the response. Everything was migrated over and is exactly this same as before.

You would think there would be a toggle to always use highlighted syntax since it's already parsing JSON..

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...