Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sindhi
sindhi
Loves-to-Learn Lots
Member since:
03-23-2022
05-24-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-23-2022 |
Activity Feed
- Posted Re: Indexed time extraction on Knowledge Management. 05-23-2022 04:40 PM
- Posted Re: Indexed time extraction on Knowledge Management. 05-22-2022 11:38 PM
- Tagged Re: Indexed time extraction on Knowledge Management. 05-22-2022 11:38 PM
- Posted Re: Indexed time extraction on Knowledge Management. 05-20-2022 04:42 PM
- Posted Re: Indexed time extraction on Knowledge Management. 05-20-2022 04:04 PM
- Posted Will it extract any custom field during search head or not? on Knowledge Management. 05-20-2022 05:44 AM
- Posted How to override EVAL statement that exist in Splunkbase TA but don't want to modify in splunkbase TA? on Knowledge Management. 04-30-2022 12:37 AM
- Posted Re: Same search returns different results each time it is run. on Splunk Search. 04-21-2022 04:39 PM
Topics I've Started
05-23-2022
04:40 PM
@PickleRick So in this case we can extract the time from the event by using indexed_extraction=json with TimePrefix and TimeFormat at HF right?
... View more
05-22-2022
11:38 PM
yes we are getting /services/collector/event endpoint and I think this is happening (please see screenshot) in our case as eventhub is putting time field in the event envelop and Splunk is extracting it. It is not extracting the time coming in the events
... View more
- Tags:
- e are
05-20-2022
04:42 PM
Many Thanks @PickleRick @ Can you please share any doco to tell me how can I explicitly provide timestamp and where can I see whether we set auto_extract_timestamp=true or not. Other thing is event hub is adding his time stamp in the event as well we are getting 2 time field one with time (added by event hub) and other with name timestamp(correct time stamp with event). Thanks
... View more
05-20-2022
04:04 PM
Thanks Guys, yes that is typo I am talking about indexed_extraction=json. @somesoni2 @PickleRick @@I am deali with _time field extraction issue. Currently I am ingesting microsoft defender logs on HEC input via event hub. And I am collecting them at /collector/event HEC endpoint. I am using splunkbase TA but it seems like events are not extracting _time as per TA it is taking from event hub. Not sure how to force splunk to use TA regex for timestamp. Splunk support suggest to put indexed_extraticon=json on HF but as you mentioned then it will impact my custom field extraction which I did on SH. Please advise.
... View more
05-20-2022
05:44 AM
Hi All,
My query is if we put indexed_time=json in props.conf at HF where we are ingesting events via HEC input. And put KV_mode=none in props.conf on SH. Will it extract any custom field during SH or not?
Thanks in Advance
... View more
Labels
- Labels:
-
Other
04-30-2022
12:37 AM
Hi Everyone,
I want to override EVAL statement exist in Splunkbase TA but don't want to modify in splunkbase TA. So I create custom TA and put same EVAL statement+extra category which I want to extract but it is not working. Can anybody please help me how I can do that.
Splunkbase TA config
/opt/splunk/etc/apps/TA-microsoft/default/props.conf EVAL-internal_message_id = case(category IN ("Events1", "Events2"),'properties.MessageId')
Custom TA config
/opt/splunk/etc/apps/A-csc_cyber_genric_sh_Splunk_TA/default/props.conf EVAL-internal_message_id = case(category IN ("Events1","Events2","Events3"),'properties.MessageId')
Thanks in Advance
... View more
Labels
- Labels:
-
Other
04-21-2022
04:39 PM
Hi mmarinov, I am facing same issue. Did you find anything to resolve it. Thanks in Advance
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-24-2022
07:07 AM
|
