About avitallange

DanielPi · ‎01-18-2024

Hi @avadhutha - I’m a Community Moderator in the Splunk Community. This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!

kristian_kolb · ‎08-29-2013

_time is normally the parsed timestamp from a message, and it is adjusted for timezone. If for some reason Splunk has got the wrong timezone set for a particular input, this can be corrected/specified in props.conf [spec] TZ = UTC will instruct splunk to treat events of type spec as being in the UTC timezone. spec can be one of either sourcetype , source::your_source_name or host::your_host . See the following docs for more info; http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles /K

sowings · ‎08-01-2013

The usual way to do this would be to prompt Splunk to drop the messages that are "Severity: Information". This is done with a parse-time transform to set the _queue metadata field for that event to nullQueue. An example is shown below. The assumption is that your sourcetype for the data is "my_sourcetype". props.conf [my_sourcetype] TRANSFORMS-0_null_queue = drop_information_messages transforms.conf [drop_information_messages] REGEX = Severity:\sInformation DEST_KEY = queue FORMAT = nullQueue See transforms.conf and look for nullQueue.

avitallange · ‎07-15-2013

It worked with the keepempty=true, thank you!

mloven_splunk · ‎07-11-2013

avitallange, I haven't done this before, but I'd guess that this would work. In transforms.conf [myextraction] SOURCE_KEY = MetaData:Source REGEX = E:\\Logs\\([^\\]+)\\([^\\]+)\\.*\.txt FORMAT = component::$1 instance::$2 And in props.conf [your_sourcetype_name] REPORT-myextraction = myextraction

linu1988 · ‎07-10-2013

Please mark answer if it gave you the solution, may help others as well

Ayn · ‎06-23-2013

That diagram shows a brief overview of essentially how Splunk works and what it does, so you'd have to be a bit more specific than that for a splunkbase question. If you want an overview of Splunk, the docs.splunk.com has all kinds of excellent information. The page http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/Splunksarchitectureandwhatgetsinstalled has this specific image and some info around it.

avitallange · ‎06-02-2013

Thank you!

avital · ‎05-30-2013

The concern is about unnecessarily consume your licence

Posts	17
Solutions	0
Karma Given	2
Karma Received	0
Member Since	‎05-20-2013

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

How to sort dynamic column names?

How do I control the trace line _time field

Collect specific rows of a trace file

search on multiple indexes

Filter according folders of the source filed

How to monitor specific sub folders

Architecture diagram explanation

Chart of multiple sourcetypes

Configure Splunk to collect data around a spesific...

Re: How to sort dynamic column names?

Re: How do I control the trace line _time field

Re: Collect specific rows of a trace file

Re: search on multiple indexes

Re: Filter according folders of the source filed

Re: How to monitor specific sub folders

Re: Architecture diagram explanation

Re: Chart of multiple sourcetypes

Re: Configure Splunk to collect data around a spes...

Join the Conversation