Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
10,000 results
Sorted by:
06-14-2019
06:24 AM
Hi All,
can anyone help us to figure out magic six for the below sample log?
SHOULD_LINEMERGE=
LINE_BREAKER=
MAX_TIMESTAMP_LOOKAHEAD=
TIME_PREFIX=
TRUNCATE=
TIME_FORMAT=
VersionNum...
- Tags:
- splunk-enterprise
03-21-2013
10:55 AM
Does props.conf go on a forwarder or on the main splunk server?
- Tags:
- props.conf
07-21-2023
02:27 AM
how can i in the props.conf file tell Splunk to take the second timestamp as opposed to the first
Labels
- Labels:
-
props.conf
-
transforms.conf
08-27-2023
08:13 PM
Hello, I have some issues with the TIME_FORMAT field in props.conf file, getting some error messages "Failed to parse timestamp, defaulting to file modtime" . My pprops.conf file and a couple of s...
- Tags:
- timestamp in props
Labels
- Labels:
-
other
11-18-2021
03:07 AM
Not working SEDCMD in my props.conf /opt/splunk/etc/system/local/props.conf [ActiveDirectory] SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/ &n...
Labels
Show results in replies (4)
-
You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “A...
-
indexer /opt/splunk/etc/system/local/props.conf Yes. I restarted every time I c...
-
Where are you putting the props.conf file? It must be on the indexers and, if you have t...
-
...bsp; props.conf [ActiveDirectory] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+---splunk-a...
07-07-2019
12:53 PM
what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf.
Also, is there any problem cases with T...
02-08-2023
11:16 AM
...ntire contents of my props.conf file:
[xxx:xxx:audit:xml] MUST_BREAK_AFTER = \</AuditMessage\> KV_MODE = xml LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = t...
- Tags:
- parsing
- props.conf
Labels
- Labels:
-
field extraction
-
fields
-
other
03-25-2021
06:31 AM
Hello SMEs....Seeking helping hand I got stuck while putting EVAL-<field-name> in props.conf using case command and it is not at all working while the same is working in search bar in GUI. A...
- Tags:
- props.conf
Labels
- Labels:
-
eval
Show results in replies (4)
-
HI @pavanbmishra, The eval -xyz filed name have you used anywhere else in the same props. c...
-
...xact props.conf file
-
Thanks Vardhan for your quick help 🙂 No i am not using that eval-xyz field anywhere in the props...
-
...fter placing the props.conf in search head can you quickly restart and check if it is a single i...
03-31-2023
12:07 PM
Hello, I am trying to figure out how to edit props.conf so that it splits my events properly. The events are added to a log file, which looks like this: &n...
Labels
08-17-2023
02:06 AM
Hi all,
i want to change the timestamp on event:
I want put the createDteTime on Time (yellow)
I changed the props.conf as follow:
[sourcetype]
INDEXED_EXTRACTIONS = j...
- Tags:
- props.conf
Show results in replies (7)
-
...oes the btool say? (splunk btool props list <your_sourcetype> --debug)
-
...our props.conf? 3. Your field is called createdDateTime, not createdDateTime":
-
Since it doesn't work without it, I tried adding INDEXED_EXTRACTIONS etc\system\default i tried b...
-
Hi @Simone , did you tried: [sourcetype] INDEXED_EXTRACTIONS = json TIMESTAMP_FIELDS = ...
-
Hi Giuseppe, unfortunately doesn't work. The raw is the following: "createdDateTime": "2023-0...
-
You right! i have change the value directly on the app's props.conf reported the correct f...
-
Hi @Simone, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Poi...
