...s are not usable with lookup, but...
The props.conf documentation says something else:
"Splunk processes calculated fields after field extraction and fieldaliasing but before lookups"
We have the following -
logTime 2016-04-06 06:12:32,251 UTC
eventStartTime 2016-04-06 01:12:32.177
_time 2016-04-06T01:12:32.251-05:00
Is it possible to set the _time field to have t...
...he logs.
Here are the example for each:
test@test.com
3234-1234-5678-5678
As I need to configureprops.conf and transforms.conf under $SPLUNK_HOME/etc/system/local/
Specifically, in props...
...moketest_json_dyn_tcp". Similar inputs are configured with unique sourcetype names; they are making REST calls to the same destination to collect different metrics. Since the same field names are being returned b...
Below is my props.conf configuration:
[<some-sourcetype>]
FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field2 as field3
FIELDALIAS-xyz = field2 as field4
Current b...
I am going to be forwarding CSV and TSV files, and was wondering if I need to configure both INDEXED_EXTRACTIONS and FIELD_DELIMITER in props.conf for the sourcetype on the Universal Forwarder.
I...
I created a field and it has 3 values. I just want change one of the values from WARNING to WARN using lookups(.CSV). I also want to know how to configure it in props.conf.
...hen I put in my tested regex in the hostname field it ofc doesn't work. So I guess I first have to set up the sourcetype in props.conf and configure the extraction in transforms.conf 2.) I c...
*Environment
Index server: Splunk version is 4.2.2 on Linux
Forwarder: VMware with vCenter on Windows Server 2008 (Universal Forwarder is 4.2.2)
Question,
If we install a Universal F...
...ndexing time instead of "time" field, that I've added before. I tried to configureprops.conf as with JSON and with regex but both hasn't work.
What makes things more wired is that some of t...