Splunk Search

Props Conf File

SplunkDash
Motivator

 

How would I write the props config file for following events, any help will be highly appreciated, thank you!

 

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Successful removal of old  data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Successful removal of old data in Repository

 

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

View solution in original post

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

SplunkDash
Motivator

..yes working as expected.....thank you so much, truly appreciated!!!

0 Karma

SplunkDash
Motivator

.... yes working as expected. Thank you, truly  appreciated.

0 Karma

manjunathmeti
Champion

Please accept it as a solution, so it will help others with similar issue.

Tags (1)

isoutamo
SplunkTrust
SplunkTrust

Hi

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

0 Karma

SplunkDash
Motivator

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you post your current version?

0 Karma

SplunkDash
Motivator

7.3.3

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I mean your props.conf and transforms.conf (if you have also it).
0 Karma

SplunkDash
Motivator

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...