Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Props Conf File

SplunkDash
Motivator
‎08-05-2021 02:31 PM

 

How would I write the props config file for following events, any help will be highly appreciated, thank you!

 

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:04 -0400|system|flush_vulns|INFO|-1|Successful removal of old  data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Removing old data in Repository

Thu, 01 Jul 2021 00:20:05 -0400|system|flush_vulns|INFO|-1|Successful removal of old data in Repository

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-09-2021 01:04 AM

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-09-2021 01:04 AM

hi @SplunkDash,

You have pipe-separated data, you can also try  INDEXED_EXTRACTIONS.

[sourcetype]
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = timestamp,context,type,log_level,code,message
TIMESTAMP_FIELDS = timestamp
SHOULD_LINEMERGE = false

 

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 07:41 AM

..yes working as expected.....thank you so much, truly appreciated!!!

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 07:39 AM

.... yes working as expected. Thank you, truly  appreciated.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-09-2021 07:44 AM

Please accept it as a solution, so it will help others with similar issue.

Tags (1)
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 03:05 PM

Hi

can you describe what you want to get by props (e.g. some fields defined or drop events or ....)?

r. Ismo

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-05-2021 03:19 PM

Thank you so much. I stuck writing my TIME_PREFIX and TIME_FORMAT in Props Configuration file for those events . Thank you again.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 11:02 PM

Can you post your current version?

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-06-2021 07:49 AM

7.3.3

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-06-2021 11:46 AM
I mean your props.conf and transforms.conf (if you have also it).
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎08-09-2021 12:19 AM

Why we need the version of it...? .....anyways, I solved that issue (see below). Thank you so much, appreciated!!!

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TIME_PREFIX=\,+\s

TIME_FORMAT=%d %b %Y %H:%M:%S %z

MAX_TIMESTAMP_LOOKAHEAD=26

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...