Splunk Search

Props Conf File

SplunkDash
Motivator

 

How would I write the props config file for following events, any help will be highly appreciated, thank you!

 

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Successful removal of old  data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Successful removal of old data in Repository

 

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

View solution in original post

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

SplunkDash
Motivator

..yes working as expected.....thank you so much, truly appreciated!!!

0 Karma

SplunkDash
Motivator

.... yes working as expected. Thank you, truly  appreciated.

0 Karma

manjunathmeti
Champion

Please accept it as a solution, so it will help others with similar issue.

Tags (1)

isoutamo
SplunkTrust
SplunkTrust

Hi

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

0 Karma

SplunkDash
Motivator

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you post your current version?

0 Karma

SplunkDash
Motivator

7.3.3

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I mean your props.conf and transforms.conf (if you have also it).
0 Karma

SplunkDash
Motivator

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...