...tatement like below in UI and its working fine but im not sure how to deploy this in props.conf
index=index_name sourcetype=sourctype_name log_level=NOTICE
|eval message =case(method_name='p...
...ransform. I follow the same naming conventions for other normal field extractions with transforms and it works well.
props.conf
[sourcetype]
REPORT-IP = REPORT-IP
transforms.conf
[REPORT-IP]
F...
I am trying to use a filed in calculatedfields from props.conf to replace space in one of my field values but not getting any results in Splunk 6.2.
Below is EVAL stanza from props.conf -
E...
...lias --> didnt work 2) I created a calculatedfield, case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields 3) I added the below line into props.conf - Also here&n...
...o properly use props.conf and transforms.conf my only (or best) approach?
What if I want to retain the unique details “just-in-case” and don’t want it removed prior to indexing?
Apologies if m...
I have a field called File_Name that I've generate by trimming the filepath off of my source from a local data input.
The files are either XML or txt files but the names all follow the same f...
Hi,
I have this in my props.conf
[emailAlerts2]
EVAL-Application = if(match(_raw,"\<EcomLogEntry\>\nDate:\s+\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0400"),"MyApp",Application)
But I'm b...
...xpression to extract/calculate the field.
I tried searching in all the *.conf files but I do not find it, I was expecting to find it on a props.conf
I know the workaround is to temporary disable t...
Hi Guys, Would you know why does the Selected fields are missing after i enable this specific Calculatedfields ? And when i delete that calculatedfield the the default selected fields are s...