×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
hemant_lnu
Engager
Member since: ‎04-24-2025
‎04-25-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-24-2025
Activity Feed
View All

Please help me out to understand the below configs

by in Getting Data In
‎04-24-2025 11:21 AM
‎04-24-2025 11:21 AM
We have one index os_linux which has 2 source type and i see props and transform is written . can you help me to understand how its working . linux:audit Linux_os_syslog   props.conf [Linux_os_syslog] TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 15 SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TRUNCATE = 2048 TZ = US/Eastern Transforms.conf [linux_audit] DEST_KEY = MetaData:Sourcetype REGEX = type=\S+\s+msg=audit FORMAT = sourcetype::linux:audit [auditd_node] REGEX = \snode=(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-25-2025 12:46 AM
Karma given to
View All