I am trying to create a props.conf to pass a custom timestamp. To do so I wanted to upload data and use the set source type page to configure timestamp parameters and then copy the props.conf to clipboard. However, the preview on this page does not update when I click "Apply Settings". The preview only changes when I select a new source type from the dropdown next to "Save As", changing anything in "Event Breaks", "Timestamp", or "Advanced" does nothing. Some thing to note is there is a red exclamation point in the top left saying "Can only preview uploaded files", unsure what this means. When I do save the data and search it, it DOES look like the source type changes I made took effect, but this really isn't a feasible way to test and configure my parameters. Any way to get this visible in "Add Data"s preview?

Need assistance with this, have installed the app, pointed to the address of the on prem server we have housing bluecat, ensured that account we created can login, has api access. I have pointed it there, given credentials but nothing is being pulled from bluecat into splunk. A little assistance, I read the README files, and didnt help much.    Thanks, Justin

Hello, I'm attempting to change the sourcetype and host on a single event. The tricky part is I want the second transform based on the change from the first transform For Example, My data comes in as   index=main host=heavy_forwarder sourcetype=aws:logbucket   I want the data to change to   index=main host=amazonfsx.host sourcetype=XmlWinEventLog   The catch is that I have other sourcetypes coming in as aws:logbucket and getting transformed to various other sourcetypes (cloudtrail, config, etc). On these events I do not want to run the regex to change the host value   If I have a props.conf file that states TRANSFORMS-modify_data = aws_fsx_sourcetype, aws_fsx_host And a transforms.conf of [aws_fsx_sourcetype] SOURCE_KEY = MetaData:Source REGEX = ^source::s3:\/\/fsxbucket\/.* FORMAT = sourcetype::XmlWinEventLog DEST_KEY = MetaData:Sourcetype [aws_fsx_host] REGEX = <Computer>([^.<]+).*?<\/Computer> FORMAT = host::$1 DEST_KEY = MetaData:Host   I'm worried this will have unexpected results on the other sourcetypes that aws:logucket has, like cloudtrail and config. If I break it out with two separate transforms, like this   TRANSFORMS-modify_data = aws_fsx_sourcetype TRANSFORMS-modify_data2 = aws_fsx_host   I'm worried the typing pipeline won't see the second transform. What is the most effective way to accomplish this?   Thanks, Nate

We are having difficulty getting exclusions of logs that have fields in Camelcase or have entries that have special characters related to OTEL logs. Fields without capitalization and/or special character values are able to be parsed out, but not others. Here is an example log that we are looking at (attached as yaml and key portion).         filelog/kube-apiserver-audit-log: include: - /var/log/kubernetes/kube-apiserver.log include_file_name: false include_file_path: true operators: - id: extract-audit-group type: regex_parser regex: '\s*\"resourceGroup\"\s*\:\s*\"(?P<extracted_group>[^\"]+)\"\s*' - id: filter-group type: filter expr: 'attributes.extracted_beta == "batch"' - id: remove-extracted-group type: remove field: attributes.extracted_group - id: extract-audit-api type: regex_parser regex: '\"level\"\:\"(?P<extracted_audit_beta>[^\"]+)\"' - id: filter-api type: filter expr: 'attributes.extracted_audit_beta == "Metadata"' - id: remove-extracted-api type: remove field: attributes.extracted_api - id: extract-audit-verb type: regex_parser regex: '\"verb\"\:\"(?P<extracted_verb>[^\"]+)\"' - id: filter-verb type: filter expr: 'attributes.extracted_verb == "watch" || attributes.extracted_verb == "list"' - id: remove-extracted-verb type: remove field: attributes.extracted_verb The resourceGroup field is compared to something else and failing, verb and level are succeeding. Here is an example log that would be pulled in. {"apiVersion":"batch/v1","component":"sync-agent","eventType":"MODIFIED","kind":"CronJob","level":"info","msg":"sent event","name":"agentupdater-workload","namespace":"vmware-system-tmc","resourceGroup":"batch","resourceType":"cronjobs","resourceVersion":"v1","time":"2024-03-14T18:17:11Z"}