Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
48 results
Sorted by:
05-18-2010
09:01 PM
9 Karma
...pache access log, but with a few more fields at the start of each log line. When I simply clone the access-extractions transform, make no modifications except for changing the Name field, it kicks b...
05-17-2016
03:28 AM
...cross, but in vain. Even the documentation isn't clear enough with examples. I am able to extract the fields in the search (using spath and specifying tags paths), but that is not what I want. I want to h...
01-17-2019
05:31 AM
...s always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:
FIELDALIAS-e...
04-16-2015
01:08 PM
Good afternoon,
I have some syslog data coming into splunk. I am trying to write the props and transforms to add the field extractions and want to make sure I am doing it the best way.
Q...
05-20-2015
09:21 AM
1 Karma
Hi
I don't know what I am doing wrong. I am try to extract a multivalue field, error_num . I tested it in the search app and it worked correctly. This is what I got:
props.conf:
[J...
03-18-2015
12:05 AM
1 Karma
...mport, I'm extracting the hostname from the event using props.conf and transforms.conf
write it to metadata:host.
props.conf:
[collectd]
TIME_PREFIX = ^.+\..+\..+\s.+\s
TRANSFORMS-mask= mask-c...
08-19-2010
06:45 PM
4 Karma
...lace doesn't follow this paradigm. We especially have a lot of DELIMS/FIELDS-based field extractions, and I'm not clear on where we stand with these, especially since there's no obvious way to configure...
10-27-2017
04:01 AM
...nstance, I configured the props.conf:
[csv]
TRANSFORMS-eliminate_header = eliminate_header
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ;
TIMESTAMP_FIELDS = Date,Time
HEADER_FIELD_LINE_NUMBER = 7...
12-27-2017
10:28 AM
...EF data for CIM compliance, too.
My problem is the same with all Add-on: neither handle the custom labels/fields as I except:
cn2 = 4
cn2Label = TaskNewState
cs2 = 1093
cs2Label = P...
- Tags:
- cef
- splunk-enterprise
08-12-2016
08:45 PM
All,
I run this search -
index=main | makemv PCIDSS delim=","
I'd like to be automatically expanded instead. But I don't see how I would do this in props.conf
