...he extra contents) doesn't work. I also tried to setup a priority using the props.conf "priority" option with no luck. I also tried to use source for the first stanza because source usually has an h...
Hello comrades, After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I u...
Not working SEDCMD in my props.conf /opt/splunk/etc/system/local/props.conf [ActiveDirectory] SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/ &n...
what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf.
Also, is there any problem cases with T...
Hello, I have some issues with the TIME_FORMAT field in props.conf file, getting some error messages "Failed to parse timestamp, defaulting to file modtime" . My pprops.conf file and a couple of s...
Hi All,
can anyone help us to figure out magic six for the below sample log?
SHOULD_LINEMERGE=
LINE_BREAKER=
MAX_TIMESTAMP_LOOKAHEAD=
TIME_PREFIX=
TRUNCATE=
TIME_FORMAT=
VersionNum...
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog]
LINE_BREAKER = ([\r\n...
I'm trying to specify a single stanza in props.conf, with FIELDALIAS and EVAL expressions, for two different sourcetypes, "Snare:Security" and "XmlWinEventLog". However, when I use an OR pipe to s...