Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Props Conf File

SplunkDash
Motivator
‎08-05-2021 02:31 PM

 

How would I write the props config file for following events, any help will be highly appreciated, thank you!

 

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Successful removal of old  data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Successful removal of old data in Repository

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-09-2021 01:04 AM

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-09-2021 01:04 AM

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 07:41 AM

..yes working as expected.....thank you so much, truly appreciated!!!

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 07:39 AM

.... yes working as expected. Thank you, truly  appreciated.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 07:44 AM

Please accept it as a solution, so it will help others with similar issue.

Tags (1)
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 03:05 PM

Hi

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-05-2021 03:19 PM

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 11:02 PM

Can you post your current version?

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-06-2021 07:49 AM

7.3.3

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-06-2021 11:46 AM
I mean your props.conf and transforms.conf (if you have also it).
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 12:19 AM

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...