This is a great video, though would be nice if you could provide a link to the "prior" video that you are referring to. The diagram of the different phases of the data life cycle has great info, and I would like to have the link to the video where you built and discussed it. I am not having much luck trying to see if it's in a play list.
Hi can you make video on transform.conf and case study of transform.conf file. I feel like you had video on that before but i am not able to find it now.
Hi can you make a video on what if deployment server, cluster master fails and which files mainly we need to concentrate on if the data is not catching up in splunk?
Hey, love the video and all your work, you explain great :)) Could you by any chance link that OneNote notebook you show in the video or link to download a PDF? It would be really helpful
Hello sir, can you help me in one doubt...i have UF installed on target server and i am ingesting logs from custom app through deployment server now i have to do event line breaking.. where should I place the props.conf...do i need to place the props.conf on deployment server, or on target server where UF is installed or on indexer Thanks in advance sir
I am trying to fig out how to define the props.conf if the source is ingested from the AWS SQS. Right now its indexed on index time. I have a field that is created_timestamp and prefer the events to be indexed on that TS. my sourcetype sourcetype="aws:s3:accesslogs" if I search like this index=* sourcetype="aws:s3:accesslogs" I get 4 indexes but I want this to impact on just 1 index and set my timestamp. Please help me!
If I get your question correctly you want to basically do the timestamp extraction using props so that your event _time is properly set . You can check the below video which I have created for event timestamp extraction, th-cam.com/video/Q5EWCT79nZ4/w-d-xo.html
Thanks Sid! That really helped gain more understanding yet I am lost with my situation: I have the following sourcetype: aws:s3:accesslogs source: "s3://jjacob-stats/prod/*.gz" host: ip-10-0-0-255 But I have 4 different indexes in this category. I only want to change 1 index which has a timestamp ( =event_timestamp) . What is your suggestion?
In props.conf you can only have settings at the source,host or sourcetype level. Now there is a option called rename sourcetype, docs.splunk.com/Documentation/Splunk/8.0.2/Data/Renamesourcetypes Then apply your timestamp settings? you may need to segregate props settings for those 4 indexes.
host, source, sourcetype, , all these are we mentioned in the input.conf . Then the props.conf stanza will open by using any of the one metadata field. is it correct or not sir?
Host,source and source type are the fields automatically created by splunk when you index data. So you no need to define them anywhere. Now all the configs you create in props the stanza you need to create for either of these metadata fields.
Nice video Siddhartha. We have a hybrid cloud environment. Where 4 Heavy Forwarders are on premise and indexer/indexing is on cloud. In this case, where the prop.conf and transform.conf would be? Also how would the conf files be if i need to install a Splunk could approved app? Can you please make a video on that if possible? Also, I just saw a 1 dislike, i wonder what kind of a low life. pathetic, miserable piece of shit would dislike this video and why?
Thanks!!...regarding your first question the location of the props and transforms will depend on what kind of configurations you want. HF are generally do input and parsing so if you want to do parsing level configurations like data masking you need to it heavy FW level, if you need to do indexing level config you need to put in at the indexer. For your second question please have a look at the below post, answers.splunk.com/answers/152272/how-to-access-splunk-cloud-configuration-files.html I will see if I can make some videos of splunk cloud. Lastly there could be thousands reason people can dislike , I would request all please put a comment why you dislike so that I can correct that mistake in future :)
This is a great video, though would be nice if you could provide a link to the "prior" video that you are referring to. The diagram of the different phases of the data life cycle has great info, and I would like to have the link to the video where you built and discussed it. I am not having much luck trying to see if it's in a play list.
If playlist is sorted then it will be very good
how to fix license violation error or warning.
Good explanation....any live training providing
Thanks Sid, looking forward for more..
hello. I have to do some .conf files but I don't know how to do it. Do you have a personal chatting or KT? Thanks in advance
Thanks Sid, very useful :)
Thx Vijay ☺️
Hi
can you make video on transform.conf and case study of transform.conf file.
I feel like you had video on that before but i am not able to find it now.
Here it is,
th-cam.com/video/MIr4vxqoqY4/w-d-xo.html
Hi can you make a video on what if deployment server, cluster master fails and which files mainly we need to concentrate on if the data is not catching up in splunk?
Hey, love the video and all your work, you explain great :))
Could you by any chance link that OneNote notebook you show in the video or link to download a PDF? It would be really helpful
Hello sir, can you help me in one doubt...i have UF installed on target server and i am ingesting logs from custom app through deployment server now i have to do event line breaking.. where should I place the props.conf...do i need to place the props.conf on deployment server, or on target server where UF is installed or on indexer
Thanks in advance sir
Looking forward more of administration videos
I had one question..what is default format I which splunk saves the logs?
If you check any of the splunk log file in $SPLUNK_HOME/var/log/splunk. You will get the format.
I am trying to fig out how to define the props.conf if the source is ingested from the AWS SQS.
Right now its indexed on index time. I have a field that is
created_timestamp
and prefer the events to be indexed on that TS.
my sourcetype sourcetype="aws:s3:accesslogs"
if I search like this index=* sourcetype="aws:s3:accesslogs" I get 4 indexes but I want this to impact on just 1 index and set my timestamp.
Please help me!
If I get your question correctly you want to basically do the timestamp extraction using props so that your event _time is properly set . You can check the below video which I have created for event timestamp extraction,
th-cam.com/video/Q5EWCT79nZ4/w-d-xo.html
Thanks Sid! That really helped gain more understanding yet I am lost with my situation:
I have the following
sourcetype: aws:s3:accesslogs
source: "s3://jjacob-stats/prod/*.gz"
host: ip-10-0-0-255
But I have 4 different indexes in this category. I only want to change 1 index which has a timestamp ( =event_timestamp) . What is your suggestion?
I have documented this issue on splunk>answers
answers.splunk.com/answers/807839/ingest-events-from-aws-sqs-but-how-to-config-times.html
In props.conf you can only have settings at the source,host or sourcetype level. Now there is a option called rename sourcetype,
docs.splunk.com/Documentation/Splunk/8.0.2/Data/Renamesourcetypes
Then apply your timestamp settings? you may need to segregate props settings for those 4 indexes.
host, source, sourcetype, , all these are we mentioned in the input.conf . Then the props.conf stanza will open by using any of the one metadata field. is it correct or not sir?
Host,source and source type are the fields automatically created by splunk when you index data. So you no need to define them anywhere. Now all the configs you create in props the stanza you need to create for either of these metadata fields.
Can you explain other conf files too? like inputs.conf,indexes.conf,server.conf
Thanks in advance
Can we process 4 log files at a time? If yes what would be the approach?
Hi Narmada,
yes you can apply the settings of props on multiple log files. In props file stanza you need to use regular expression.
Sid
can you send me a link to the log files that you use so that I can follow on my system?
Sorry Lain this is very old video and I lost the backup of my old videos :(
Could you make a video on scripted alert
Ok sure
Nice video Siddhartha. We have a hybrid cloud environment. Where 4 Heavy Forwarders are on premise and indexer/indexing is on cloud. In this case, where the prop.conf and transform.conf would be? Also how would the conf files be if i need to install a Splunk could approved app? Can you please make a video on that if possible?
Also, I just saw a 1 dislike, i wonder what kind of a low life. pathetic, miserable piece of shit would dislike this video and why?
Thanks!!...regarding your first question the location of the props and transforms will depend on what kind of configurations you want. HF are generally do input and parsing so if you want to do parsing level configurations like data masking you need to it heavy FW level, if you need to do indexing level config you need to put in at the indexer.
For your second question please have a look at the below post,
answers.splunk.com/answers/152272/how-to-access-splunk-cloud-configuration-files.html
I will see if I can make some videos of splunk cloud.
Lastly there could be thousands reason people can dislike , I would request all please put a comment why you dislike so that I can correct that mistake in future :)
thx you :)