Module 10: Parsing Phase and Data preview Flashcards
What is props.conf used for?
•Used to configure pre-processing properties •Settings applied through attribute/value pairs •Observe order of precedence o System local directory – highest o App local directory o App default director o System default directory – lowest •Restart required
What is transforms.conf used for?
- Works in collaboration with props.conf
- Holds settings to configure data transformations
- Covers the “how” parts of things
- Requires corresponding setting is props.conf
- Unique stanza name
What are the two line-breaking methods in Splunk?
line breaking
line merging
How is line breaking configured?
o When SHOULD_LINEMERGE=false, Splunk users LINE_BREAKER regex that by default is: ([\r\n}+)
How is line merging configured?
o Explicated provide line break setting using attributes lie BREAK_ONLY_BEOFRE or MUST_BREAK_AFTER etc
o SHOULD_LINEMERGE=true to take effect
How do you configure multi-line event boundaries?
•Breaks and re-assembles data stream •Add a stanza in props.conf •Set SHOULD_LINEMERGE=true •Set the line merging attributes o BREAK_ONLY_BEFORE o BREAK_ONLY_BEFORE_DATA o MUST_BREAK_AFTER o MAX_EVENTS
How to you break data streams in to real events?
•More efficient but hard to work with •Add a stanza in props.conf •Set SHOULD_LINEMERGE=false •Set LINE_BREAKER attribute o Default is ([\r\n}+) o Set to regex matching event boundary •Restart Splunk
What are some features of timestamps in Splunk enterprise?
- Nothing without a timestamp – all events must have a timestamp. If not, Splunk assigns one
- Edit props.conf – to configure or modify timestamps
- Timestamp recognition – Splunk recognised most of the timestamp formats out-of-the-box
- Enhanced strptime() support – keeps the text to three lines or fewer
- Timestamp validity attributes – for accepting or rejecting the timestamp in the events
How do you edit timestamp properties?
- Timestamp configurations are done on heavy forwarders or indexers
- Configuration applied to , source:: or host::
- Identifying the correct formant of the timestamp is the key
- Select the correct timestamp if multiple timestamps are present
- Account for the correct time-zones
What is a default field?
- Tagged and added automatically to event data at index time
- Each default field holds information about the data it is tagged to
- Three types of default fields: internal, basic, and datetime
- Overridden when default behaviour need to be change
- Change does not apply to previously indexed events
How are default fields overidden at input creation time?
•Through Spunk Web •In configuration files •Provides values for relevant attribute o Host o Source o Sourcetype o Index
How are default fields overidden in exisiting inputs?
•Define a suitable value to assign o Static value o Regular expression •Identify events to apply change o Regex based •Write stanza in configuaruin files o Transforms.conf o Props.conf •Restart Splunk
What is routing event data?
- Based on host, source, sourcetype or a pattern in events
- Pattern based routing can only be done on a full Splunk instance
- UF’s route data based on host, source, sourcetype
- Can forward to multiple target indexer groups
- Can be routed to third party systems
What is filtering event data?
•Similar to routing events •Based on regular expression o Regex for selecting events o . or (.) for all events •Routed to queues o indexQueue o nullQueue
