Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs are showing raw, how do I get them to show as highlighted?

bryhoffman
Explorer
‎01-20-2025 07:12 AM

When I click on the raw log and back out of it it shows up as highlighted. How do I default the sourcetype/source to always show as highlighted? I've messed with the props.conf and can't get it.

This only started occur after we migrated from On-Prem Splunk to Splunk Cloud. Before, these logs would automatically show up/parsed in JSON

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

erikwie
Path Finder
‎01-21-2025 01:15 AM

Are you sending the logs directly to Splunk Cloud or thru a Intermediate Forwarder?

An app with props.conf and transforms.conf uploaded to Splunk Cloud is run on the Search Head.
In my cases I had to install the app on the Intermediate Forwarder that sends on-prem logs to Splunk Cloud, when it worked as it had done before migrating to the cloud.

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2025 07:43 AM

Have you migrated/moved those original props.conf from onprem to cloud? If you still have those somewhere just create an app from those and install it into cloud. Of course you must ensure that those have precedence over current configuration in cloud.

0 Karma
Reply
Solved! Jump to solution

bryhoffman
Explorer
‎01-20-2025 07:47 AM

Thanks for the response. Everything was migrated over and is exactly this same as before.

You would think there would be a toggle to always use highlighted syntax since it's already parsing JSON..

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2025 08:26 AM

If the data is same as before, but the presentation is different then there is something different in the settings now.

Use the btool command (part of the Admin's Little Helper app - a mandatory app for Splunk Cloud customers, IMO) to review the settings to make sure they are being applied as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...