Splunk Configuration Files : Event line breaking using props.conf

Рет қаралды 24,068

Splunk & Machine Learning

Күн бұрын

Пікірлер: 35

@rfusion6 4 жыл бұрын

Not all heroes wear cape! you are doing the work of god dude! Thanks a lot.

@splunk_ml 4 жыл бұрын

Thank you 🙏

@ManojSharma-hv9ml 4 жыл бұрын

You're really an awesome example of a great teacher who knows very well how to teach their students. GOD bless you Sir..

@logicfirst7959 5 жыл бұрын

Superb Siddhartha, you entire Splunk videos are just impeccable. Thank you for teaching us this valuable skill.

@splunk_ml 5 жыл бұрын

Welcome mate 👍

@joxerlee1 4 жыл бұрын

Nice explanation of props.conf. Thank you!

@ravikishore5987 5 жыл бұрын

Good video Siddhartha,helpful

@BrayanRodriguez-mw7iw Жыл бұрын

*Thank you for the great videos yo do Make a video about Troubleshooting Event Queues in Indexers and Forwarder sin Splunk!*

@saby826 4 жыл бұрын

You're true genius..hats off

@obinnaekeh9188 2 жыл бұрын

Excellent video

@hamidrezashahsavari9578 2 жыл бұрын

That was wonderful

@alfarsalaraby 5 жыл бұрын

Man!!! you are Wonderful! Thank you so much

@splunk_ml 5 жыл бұрын

Thank you Mohammad 👍

@vikassingh4320 5 жыл бұрын

Good work.. Keep it up

@kosmosnagios4618 5 жыл бұрын

I have a question, where do this props go? indexer or on search head? Also, does it require splunk restart? btw did I forget to mention you're awesome?

@splunk_ml 5 жыл бұрын

Well it depends on which configuration you are putting in props.conf. For example if you are putting search time field extraction related config you need to place it in search head and if you are doing index time field extraction it needs to be in indexer.

@kosmosnagios4618 5 жыл бұрын

@@splunk_ml thanks, I noticed there are videos on that topic as well, I'll check them again. Is there any way to apply these on indexers without a restart? It seems it needs a restart but restarting indexers for every change is a bummer.

@splunk_ml 5 жыл бұрын

Sorry i forgot to answer that question... I think you can do it from ui for props changes from settings>>source type menu. That won't require restart.

@rohitpandey4 8 ай бұрын

could you clear my doubt like if SHOULD_LINEMERGE=yes means all event will be merge?? and if SHOULD_LINEMERGE=false means all event will be separate ?? based on 3:34 statement

@rajivranjan9614 Жыл бұрын

Hello Sir...i have one doubt..i have one custom app created in deployment server under deploymentent apps folder and data is coming now I want to break the events..where should I create a props.conf file in deployment server or in indexer....thanks in advance sir

@azwaliyana7406 3 жыл бұрын

Can I change the file configuration after I have saved the file in Splunk? If yes, how can I do that?

@sathyamaniify 4 жыл бұрын

Could you please share link which refers previous video of this - event phase ? Thank you

@splunk_ml 4 жыл бұрын

Here it is. I have added the link in video as well, kzbin.info/www/bejne/g3rVZamuptSkj5Y

@pdteach 4 жыл бұрын

Very helpful . thank you

@madhavam274 5 жыл бұрын

Thanks for good video

@keyman009 4 жыл бұрын

I am sorry, it's my understanding from the documentation, that when you change SHOULD_LINEMERGE to false at 10:30 you are now solely relying on the LINE_BREAKER regex to determine event boundaries. This leaves me confused because when it was set to true, I don't understand why the BREAK_ONLY_BEFORE regex did not exclude the xml declaration line from the first event.

@splunk_ml 4 жыл бұрын

Ideally it should exclude the xml declaration. May be there are some other setting you have which is overriding this behaviour?

@madhavam274 5 жыл бұрын

Could you please make a one video regarding firewalls and ids/ips log source integration into splunk

@splunk_ml 5 жыл бұрын

ok sure I will see if I can do the setup..I will try to cover this as well.

@madhavam274 5 жыл бұрын

@@splunk_ml thank you very much siddharth

@pranavsankar7033 5 жыл бұрын

Awesome video , you can use PREAMBLE_REGEX for remving the XML header

@splunk_ml 5 жыл бұрын

Yes agree with you 👍

@vikashafig 5 жыл бұрын

@@splunk_ml Well I tried PREAMBLE_REGEX setting but it did not remove the header so this is what my props says [ __auto__learned__ ] SHOULD_LINEMERGE=false LINE_BREAKER=([ ]*) NO_BINARY_CHECK=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N TIME_PREFIX= MAX_TIMESTAMP_LOOKAHEAD=24 MAX_DAYS_AGO=4000 PREAMBLE_REGEX=^\

@prashanthakkineni6942 Жыл бұрын

Hi Siddharth do you conduct online course for Splunk, can I have your email to contact you.

@shubhadajoshi4145 2 жыл бұрын

getting error while running 127.0.0.1:8000/en-US/debug/refresh. The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running. Click here to return to Splunk homepage. 503 Service Unavailable. Can you please help.