Hello, In the Splunk GUI/Interface, I filter into the following commands to remove some unwanted data from being displayed: | rex mode=sed field=_raw "s/ example: .+?( from |$)/ example: select from /g" | rex mode=sed field=_raw "s/ in \(.+?\) / in (...) /g" How would I apply this to props.conf in my forwarder (or is there a better option i.e. transforms.conf)?  I tried the following but did not seem to work for me.  [XX] SEDCMD-first = s/ example: .+?( from |$)/ example: select from /g SEDCMD-second = s/ in \(.+?\) / in (...) /g force_local_processing = true ... View more

Hello, Had a quick question with regards to props.conf and how it would behave.  We have a directory which has a large number of different logs and we use just one sourcetype for all (*.* in the path in inputs.conf).   I am planning to setup the following props.conf for this sourcetype as the vast majority of the log files follow this date structure/setup.  However, a few of the logs do not.  I'm just wondering how these logs would behave?  Would they simply revert to the overall system default?  Of course I could setup separate sourcetypes for each file name if need be, but would rather continue with I have for now. SHOULD_LINEMERGE=true TIME_FORMAT=%Y-%m-%d %H:%M:%S[\.,]%3N TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=24 BREAK_ONLY_BEFORE_DATE=TRUE Thanks!   ... View more

Hello, I have a log file with dates occurring inside the lines (not just at the beginning of the line). Splunk is creating a separate event each time the date/timestamp is encountered, not just at the beginning of the line. I've done a lot of research on these forums and have tried playing extensively with props.conf inside my etc/system/local directory (which I believe is highest priority). I've tried using "LINE_BREAKER" with a regular expression (date/time stamp at the beginning of the line) and "SHOULD_LINEMERGE" set to false, have also tried "BREAK_ONLY_BEFORE", "TIME_PREFIX", "TIME_FORMAT", etc. Anytime I've made these changes and re-started Splunk, I am able to see them when I use the btool command to check for props settings, so they do seem to be picking up. However, in my GUI, my log files continue to break at any date/timestamp encountered. Perhaps there is something else wrong with my settings. Here's what my input.conf looks like and one thing I've tried for props.conf in the same folder. input.conf entry: [monitor:///path_to_log/log_file_name*.log] disabled = 0 sourcetype = log_file_name props.conf entry (just one of many settings I've tried): [log_file_name] BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} sourcetype = log_file_name Any suggestions would be appreciated. ... View more