my event and inputs.conf sourcetype = rsa:syslog feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info my props.conf [rsa:syslog] TRANSFORMS-c...
Dear Members, I have a use case where I would need to update or insert configuration to transforms.conf, props.conf and outputs.conf. I was told that it is possible to do this via a creating an app....
...he extra contents) doesn't work. I also tried to setup a priority using the props.conf "priority" option with no luck. I also tried to use source for the first stanza because source usually has an h...
Hello comrades, After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I u...
what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf.
Also, is there any problem cases with T...
Hi All,
can anyone help us to figure out magic six for the below sample log?
SHOULD_LINEMERGE=
LINE_BREAKER=
MAX_TIMESTAMP_LOOKAHEAD=
TIME_PREFIX=
TRUNCATE=
TIME_FORMAT=
VersionNum...
Not working SEDCMD in my props.conf /opt/splunk/etc/system/local/props.conf [ActiveDirectory] SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/ &n...
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog]
LINE_BREAKER = ([\r\n...
Hello,
I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:
[myprops]
SHUOLD_LINEMERGE=false
L...