Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Search
Splunk Community
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
12,612 results
Sort by:
02-25-2025
11:48 AM
my event and inputs.conf sourcetype = rsa:syslog feb 01 10:24:12 myhostname 2025-02-01 10:24:12,999, myhostname, audit.admin.com.cd.etc info my props.conf [rsa:syslog] TRANSFORMS-c...
- Tags:
- transforms
Labels
- Labels:
-
metadata
Show results in replies (4)
-
... sourcetype = rsa:syslog my props.conf I would like to change sourcetype base "a...
-
issues had been resolved. I did the props.conf and transforms.conf on the search heads alone, it d...
-
... sourcetype = rsa:syslog my props.conf I would like to change sourcetype base "a...
-
...Try removing the SOURCE_KEY key/value pair from your props.conf and see if that resolves your issue....
03-07-2025
07:04 AM
Dear Members, I have a use case where I would need to update or insert configuration to transforms.conf, props.conf and outputs.conf. I was told that it is possible to do this via a creating an app....
Labels
- Labels:
-
configuration
Show results in replies (5)
-
...iles, your simple app might looks like this $SPLUNK_HOME/ etc/ apps/ yourAppName/ local/ props.conf...
-
...or splunk, but there should be also something about this. For details about props.conf and t...
-
I tried putting my props.conf and transforms.conf to $SPLUNK_HOME/etc/apps/yourAppName/l...
-
...ttps://dev.splunk.com/enterprise/docs/developapps/extensionpoints It does mention props.conf and t...
-
...ur outputs.conf from the app, to add/override the settings we needed, and it turned out that this a...
11-16-2023
10:59 PM
...he extra contents) doesn't work. I also tried to setup a priority using the props.conf "priority" option with no luck. I also tried to use source for the first stanza because source usually has an h...
Labels
- Labels:
-
props.conf
Show results in replies (7)
-
Hi at all, new failed test: I also tried to use transforms.conf instead of SEDCMD in props...
-
...vent-cutting ones). props.conf: [test_sourcetype_to_recast] #Order of transform classes i crucial! Y...
-
...he issue I suppose that's in the precedence on events in the activities listed in the props.conf. C...
-
...his means that props.conf matching on host or source will incorrectly be applied a second time. S...
-
...nderstand, you hint a props.conf like the following: [logstash] # set host TRANSFORMS-sethost = s...
-
Hi @PickleRick , there's still something wrong: I used this props.conf: [logstash] T...
-
OK. Look at this: props.conf: [test_sourcetype_to_recast] #Order of transform classes i c...
10-02-2023
07:09 PM
Hello comrades, After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I u...
Labels
Show results in replies (4)
-
yep, the props.conf on the UF is very very limited. SEDCMD on props.conf is only for HF or i...
-
>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps...
-
Sorry for trouble, As I named myself... 1. Document mentioned that I have to create props.conf i...
-
Hi @BoldKnowsNothin ... the UF, still supports, only very limited props.conf tasks.&n...
07-21-2023
02:27 AM
how can i in the props.conf file tell Splunk to take the second timestamp as opposed to the first
Labels
- Labels:
-
props.conf
-
transforms.conf
07-07-2019
12:53 PM
what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf.
Also, is there any problem cases with T...
06-14-2019
06:24 AM
Hi All,
can anyone help us to figure out magic six for the below sample log?
SHOULD_LINEMERGE=
LINE_BREAKER=
MAX_TIMESTAMP_LOOKAHEAD=
TIME_PREFIX=
TRUNCATE=
TIME_FORMAT=
VersionNum...
- Tags:
- splunk-enterprise
11-18-2021
03:07 AM
Not working SEDCMD in my props.conf /opt/splunk/etc/system/local/props.conf [ActiveDirectory] SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/ &n...
Show results in replies (4)
-
You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “A...
-
indexer /opt/splunk/etc/system/local/props.conf Yes. I restarted every time I c...
-
Where are you putting the props.conf file? It must be on the indexers and, if you have t...
-
...bsp; props.conf [ActiveDirectory] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+---splunk-a...
01-02-2024
07:17 AM
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog]
LINE_BREAKER = ([\r\n...
Labels
- Labels:
-
configuration
-
troubleshooting
08-17-2024
03:53 PM
Hello,
I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:
[myprops]
SHUOLD_LINEMERGE=false
L...
- Tags:
- epoch time
