...s both timestamps do not contain the year, splunk does not manage to correctly index the events.
I therefore override both sourcetypes on a per-event basis.
In props.conf:
[source::.../e...
...ractise, how do i manage my sourcetypes especially in case of splunkcloud. Is there any way to keep sourcetypes on indexers and Search Heads synchronised?
...n different format. How can we manage the search time extractions which works for both the data formats for same sourcetype. New extractions we use are completely different from the old once. Any s...
...earch head is reading the data of the UDP port and forwarding it to Indexers
2 - Install the apps on the search heads but don't use the app to configure the inputs and sourcetypes. Manage them o...
Hi,
Please find below usecase we have currently:
We have the two indexes A having sourcetypes X1,Y1,Z1 and B having sourcetypes namely X2,Y2,Z2. In order to restrict user the access to all source...
I have a Splunk indexer cluster (2 indexers, 1 master node), 1 search head, and multiple forwarders. Is there a way to configure sourcetypes, input ports, etc from a central web interface, or does e...
...ossible to assign the same labels to all incoming SIEM alerts. Based on these labels a playbook is then executed.
Is there any way to assign the labels based on the type (e.g. a field of the alarm) o...
Hello, I have a sourcetype that have a default LINE_BREAKING and SHOULD_LINEMERGE=false, like so:
Per my understanding, this mean it automatically extract each line as one event. But the i...