Splunk Search

Props Conf File

SplunkDash
Motivator

 

How would I write the props config file for following events, any help will be highly appreciated, thank you!

 

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Successful removal of old  data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Successful removal of old data in Repository

 

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

View solution in original post

manjunathmeti
Champion

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

SplunkDash
Motivator

..yes working as expected.....thank you so much, truly appreciated!!!

0 Karma

SplunkDash
Motivator

.... yes working as expected. Thank you, truly  appreciated.

0 Karma

manjunathmeti
Champion

Please accept it as a solution, so it will help others with similar issue.

Tags (1)

isoutamo
SplunkTrust
SplunkTrust

Hi

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

0 Karma

SplunkDash
Motivator

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you post your current version?

0 Karma

SplunkDash
Motivator

7.3.3

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
I mean your props.conf and transforms.conf (if you have also it).
0 Karma

SplunkDash
Motivator

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...