Hi-
For some reason every time I try to go to the documentation from within Splunk or from other links, I get a 404 page not found and a loop occurs where I don't really ever see the 404 page. So as I can't get to the documentation, I'd like to ask for some help...
I have a directory that includes several .csv files each with a specific format
"Username","Log On/Off","Hostname","IP Address","YYYMMDDHHMM","Domain"
Each csv file is named for the user and tracks the computer that they are logged into currently - tracks log on and log off. How can I easily map these fields to appropriate fields for Splunk to understand? Splunk can't figure out the timestamp here, or the hostname (as all files sit on the same network share...
I'm sure this is simple, but without being able to access any documentation, i'm kind of flying in the dark. Has happened on several computers today at our location so I gave up. Thanks in advance for any help!
Okay, so I will answer my own question!
Here is my props.conf:
[csv-2]
TIME_PREFIX=^([^,]*,){4}
pulldown_type=1
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d%H%M
TZ=America/New_York
CHECK_FOR_HEADER = false
KV_MODE = none
PRIORITY = 101
TRANSFORMS-extract_host = extract_host
TRANSFORMS-AutoHeader-1 = AutoHeader-1
And here is my transforms.conf:
[AutoHeader-1]
DELIMS = ","
REGEX = (.*?):s+([0-9,]+)
MV_ADD = true
REPEAT_MATCH = TRUE
CLEAN_KEYS = true
FIELDS = "Username", "Log[On]/Log[Off]", "host", "IP Address", "Timestamp" "Domain"
[extract_host]
REGEX = ^([^,]*,){3}
FORMAT = host::$1
DEST_KEY = MetaData:Host
Remember that after making any changes, you need to:
1. Restart the services
2. Gather more data - the previously indexed data won't change. You need new events.
I'd like to know more about the MetaData: keys that I can map to.... Are there more known constructs in Splunk? This was the only one I found in the documentation...
The documentation issue is caused by being unable to reach, or DNS resolve, quickdraw.splunk.com and www.splunk.com.
Wow, okay... I added splunk.com to some of the ad blocking whitelists and it works now.... Not sure why. Web filter and firewall weren't impeding the data at all.
Thanks....
Okay, this is weird. DNS resolves for both of those domains you listed. Using Google Chrome, I go to docs.splunk.com and get forwarded to splunk-base.splunk.com. However if I try to go to docs.splunk.com in IE 10, it actually sends me to http://docs.splunk.com/Documentation
Beginning to think this may be because of an extension I have installed. Thanks.
docs.splunk.com = www.splunk.com
quickdraw.splunk.com does the translation to the right doc page.
If you can reach both, something in between is blocking you. The docs are and remain generally available.
Thanks for the thought, but no, this is not my issue.
H:>nslookup quickdraw.splunk.com
Server: gracedca.grace.adn
Address: 192.168.1.251
Non-authoritative answer:
Name: quickdraw.splunk.com
Address: 216.221.226.40
On the docs side...just to confirm: you can't see docs.splunk.com from any browser in your location? The site is up and working.