Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lawndart
lawndart
New Member
Member since:
11-15-2010
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-15-2010 |
Activity Feed
- Posted Re: How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:58 AM
- Posted Re: How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:33 AM
- Posted How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:32 AM
- Tagged How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:32 AM
- Tagged How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:32 AM
- Tagged How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:32 AM
- Tagged How to edit my props.conf and transforms.conf to set the Host value to a portion of each event? on Splunk Search. 06-04-2015 09:32 AM
- Posted Re: Splunk Server: RHEL or Win2008 on Getting Data In. 05-03-2012 09:57 AM
- Posted Splunk Server: RHEL or Win2008 on Getting Data In. 05-03-2012 09:38 AM
- Tagged Splunk Server: RHEL or Win2008 on Getting Data In. 05-03-2012 09:38 AM
- Tagged Splunk Server: RHEL or Win2008 on Getting Data In. 05-03-2012 09:38 AM
- Tagged Splunk Server: RHEL or Win2008 on Getting Data In. 05-03-2012 09:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
06-04-2015
09:58 AM
Aaaand that did it. Thanks for the quick help! Why did that work when the FORMAT option didn't?
... View more
06-04-2015
09:33 AM
Oh, I put the files in both etc/system/local and also in apps/search/local (not at the same time), just in case that made any difference. It didn't.
... View more
06-04-2015
09:32 AM
I'm trying to set my "host" field to a portion of each event (it's traffic logs aggregated from a number of places) and I THINK I have my conf files set up correctly, but it obstinately refuses to function.
My transforms.conf:
[agg_traffic-HostSet]
REGEX = ^[^,]+,[^,]+,[^,]+,[^,]+,\d+,[^,]+[^,\n]*,[^,]+,[^,]+,([^,]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
My props.conf:
[agg_traffic]
TRANSFORMS-agg_traffic = agg_traffic-HostSet
Example csv formatted event:
2015-06-01,20150601,127.0.0.1,10.10.0.1,800,17,DNS,site02,site02,<Event continues>
So that SHOULD set host=site02 (overriding the manual host definition from the input), except it doesn't. What have I screwed up? If I dump the regex into the rex command, it works exactly like I want it to.
... View more
05-03-2012
09:57 AM
Yeah, we have a small enough deployment that we haven't noticed any issues with running it off VMs so far, but we have some long term plans to spec up to physical boxes when we need it.
... View more
05-03-2012
09:38 AM
Hello all,
I'm moving my Splunk server to a new VM based box and I can either build it as a RHEL5/6 box or a Windows Server 2008 R2 box. My team and I are generally proficient in both, and we have a mixed environment of both. Has anyone looked at or noticed any performance differences across Splunk on those two OSs?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
