...ndividuals (which ever events starting from text “confluent_kafka_”) . I have edited my props.conf as below but its not coming as expected still its coming as a single event. Can some one please g...
Hi
I want to drop all Windows Security Events (4624, 4625, etc) with Logon Type:3
My first idea is to make filter on my Heavy Forwarder:
props.conf
[WinEventLog:Security]
TRANSFORMS-w...
Sample data: i have 2 types of data and below props given, i am seeing internal logs like ERROR JsonLineBreaker - JSON StramID:13457545565443322455 had parsing error: Unexpected character: 'a...
Hello, I have an application with an uf, an indexer and a sh. For a csv it is recommended to put some options in the uf and others in the indexer. For example the field_names. Do you know what types...
Below are the sample logs, here i have 2 types of logs formats. for json logs i have given this props: [sourcetype] INDEXED_EXTRACTIONS=json KV_MODE=none SHOULD_LINEMERGE=true T...
Hi,
I've inherited a splunk environment where the syslog needs a fair amount of clean-up. The incoming syslog messages are all types - servers, appliances, routers, switches.... Where p...
I have a situation.
I have defined the source type under Deployment server- deployment app>local>prop.conf> as
[source::.../engine-*.log]
TRANSFORMS-null=setnull
Also created u...
...ven possible to control the order in which props attempts structured extractions? Certainly props supports extracting both types of values, but how do you know which one it tries first if you c...
Hi Splunkers,
for an addon I'm making, I need to perform a sourcetype override. The general mechanis is clearly explained on this documentation: Override source types on a per-event basis and I u...