×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Charlize
Engager
Member since: ‎03-27-2023
‎05-01-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎03-27-2023
View All

Re: New metadata field for all events coming via U...

by in Splunk Search
‎05-02-2025 01:37 AM
‎05-02-2025 01:37 AM
| tstats count where index=index_abc by id    There are no results for this query. But events are there in the index. ... View more

New metadata field for all events coming via UF fo...

by in Splunk Search
‎05-01-2025 11:44 PM
‎05-01-2025 11:44 PM
Added the config for the new metadata field in the inputs.conf file and created a fields.conf file to set the field as indexed=true. Still the field is not showing up on SH. This is done for the cloud envi inputs.conf [monitor://D:\Splunk\abc\*.csv] disabled = false index = index_abc sourcetype = src_abc _meta = id::123   fields.conf [id] INDEXED=true ... View more
Labels

How to extract required data from the HEC _raw eve...

by in Getting Data In
‎03-27-2023 01:34 AM
‎03-27-2023 01:34 AM
Hi, My single event length is too long so I want to extract and ingest the specific part from it. The part is in the middle of the event, so I tried extracting it using BREAK_ONLY_BEFORE and BREAK_ONLY_AFTER. Also used the LINE_BREAKER function but it is not working as expected. How can we define start and end of the log in the props.conf file? Is there any alternative to achieve this? Log sample: ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-01-2025 11:35 PM
Karma given to
View All