How can I find out which props/transforms does the...

danielbb · ‎05-19-2021

The Message field of wineventlog is being handled by the default configurations or of the TA and I would like to change it but I can't find out which props/transforms do the current extractions.

The Message field is of multiple lines and the extraction, at the moment, is applied on each line, extracting the name, value pairs separated by a colon.

In the case of Avecto, we see within one line multiple name value pairs and the pairs are separated by commas.

aasabatini · ‎05-19-2021

Hi @danielbb

did you try to use btool option?

splunk btool props list --debug

anyway I share the documentation

https://docs.splunk.com/Documentation/Splunk/8.2.0/Troubleshooting/Usebtooltotroubleshootconfigurati...

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

danielbb · ‎05-19-2021

I ran -

splunk btool transforms list --debug  > /tmp/transforms.all
cat transforms.all  | grep -i '$1::$2'

The second one returns 29 lines and I would like to know which one is being applied.

aasabatini · ‎05-19-2021

Hi @danielbb

usually the conf files have this priority

App directory, local has priority over default
System directory, local has priority over default.

Now I don't know where are located your conf files but generally if is present on the local app the conf file have a priority.

anyway I share this interesting article

https://medium.com/splunkuserdeveloperadministrator/splunk-configuration-files-precedence-explained-...

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

danielbb · ‎05-21-2021

I can't find out where Message is being processed for WinEventLog. I scanned props and transforms with btool and can't find it.

How can I find out which props/transforms does the Message field extraction?

field extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!