×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
agralrst
Loves-to-Learn Lots
Member since: ‎08-04-2024
‎08-23-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-04-2024
Activity Feed
Topics I've Started
View All

Re: Transform.conf is not working

by in Other Usage
‎08-04-2024 07:56 PM
‎08-04-2024 07:56 PM
and the input is only configured in heavy forwarder B but when I put the transform.conf in HF B, it isn't working ... View more

Re: Transform.conf is not working

by in Other Usage
‎08-04-2024 07:54 PM
‎08-04-2024 07:54 PM
I mean it's deployment server & Master Node.  Can I add the props.conf & transform.conf in deployment server and then run this command? /opt/splunk/bin/splunk reload deploy-server I'm sorry for asking the basic thing I'm new in Splunk. ... View more

Re: Transform.conf is not working

by in Other Usage
‎08-04-2024 08:33 AM
‎08-04-2024 08:33 AM
anyway I have distributed deployment - Master Depoloyment  - Deployer - INdexer A  - Indexer B  - License Master + Monitoring console - Forwarder A  - FOrwarder B  - Search Head A  - Search Head B - Search Head C    where should I add the props.conf and transform.conf? ... View more

Transform.conf is not working

by in Other Usage
‎08-04-2024 03:43 AM
‎08-04-2024 03:43 AM
I'm trying to extract field for Symantec ProxySG with transform.conf & props.conf but it isn't working. Here is the sample logs: Aug  4 16:31:58 2024-08-04 08: 31:28 "hostname" 5243 xx.xx.xx.xx 200 TCP_TUNNELED 6392 2962 CONNECT tcp domain.com 443 / - yyyy - xx.xx.xx.xx xx.xx.xx.xx "None" - - - - OBSERVED - - xx.xx.xx.xx - 7b711515341865e8-0000000008da5077-0000000066af3c5e - - Here is my configuration:  REGEX = ^.*"CN-SH-PSG-01"\s+(?<bytes_in>\d+)\s+(?<client_ip>\d+\.\d+\.\d+\.\d+)\s+(?<status_code>\d+)\s+(?<action>[^\s]+)\s+(?<bytes_out>\d+)\s+(?<bytes_out2>[^\s]+)\s+(?<http_method>[^\s]+)\s+(?<protocol>[^\s]+)\s+(?<domain>[^\s]+)\s+(?<port>\d+)\s+[^\s]+\s+(?<user>[^\s]+)\s+[^\s]+\s+[^\s]+\s+(?<mime_type>[^\s]+)\s+[^\s]+\s+"(?<user_agent>[^"]+)"FORMAT = bytes_in::$1 client_ip::$2 status_code::$3 action::$4 bytes_out::$5 bytes_out2::$6 http_method::$7 protocol::$8 domain::$9 port::$10 user::$11 mime_type::$12 user_agent::$13 [source::syslog] TRANSFORMS-proxysg_field_extraction = proxysg_field_extraction   I've tried to change the config but the result teh field is not extracted & I have tried my regex using regex101.com and is doing fine ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-23-2024 12:37 AM