You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1552 lines
51 KiB
1552 lines
51 KiB
# props.conf
|
|
|
|
#
|
|
# TrackMe audit events
|
|
#
|
|
|
|
[trackme:audit]
|
|
KV_MODE = json
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
#
|
|
# TrackMe flipping state events
|
|
#
|
|
|
|
[trackme:flip]
|
|
KV_MODE = json
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
|
|
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
|
|
EVAL-anomaly_reason{} = null
|
|
|
|
#
|
|
# TrackMe SLA breaches notifications events
|
|
#
|
|
|
|
[trackme:sla_breaches]
|
|
KV_MODE = json
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
|
|
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
|
|
EVAL-anomaly_reason{} = null
|
|
|
|
#
|
|
# TrackMe score events
|
|
#
|
|
|
|
[trackme:score]
|
|
KV_MODE = json
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
#
|
|
# trackMe notable events
|
|
#
|
|
|
|
[trackme:notable]
|
|
KV_MODE=json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"_time\":\s
|
|
TIME_FORMAT=%s.%f
|
|
MAX_TIMESTAMP_LOOKAHEAD = 25
|
|
TRUNCATE=0
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
# transforms applies at the sourcetype level for Notables
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state
|
|
|
|
# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
|
|
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
|
|
EVAL-anomaly_reason{} = null
|
|
|
|
#
|
|
# trackMe Smart Status
|
|
#
|
|
|
|
# Events are ingested via the SDK method, _time should be now when the method is called
|
|
|
|
[trackme:smart_status]
|
|
KV_MODE = json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
DATETIME_CONFIG = CURRENT
|
|
TRUNCATE=0
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object
|
|
|
|
#
|
|
# TrackMe health events
|
|
#
|
|
|
|
[trackme:health]
|
|
KV_MODE = json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
DATETIME_CONFIG = CURRENT
|
|
TRUNCATE=0
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object
|
|
|
|
#
|
|
# TrackMe notification events
|
|
#
|
|
|
|
[trackme:handler]
|
|
KV_MODE = json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
DATETIME_CONFIG = CURRENT
|
|
TRUNCATE=0
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object
|
|
|
|
#
|
|
# TrackMe stateful alert events
|
|
#
|
|
|
|
[trackme:stateful_alerts]
|
|
KV_MODE = json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
DATETIME_CONFIG = CURRENT
|
|
TRUNCATE=0
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object
|
|
|
|
#
|
|
# TrackMe Workload version Metadata
|
|
#
|
|
|
|
[trackme:wlk:version_id]
|
|
KV_MODE = json
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_tenant_id, trackme_indexed_object_category, trackme_indexed_object
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
TZ = UTC
|
|
|
|
#
|
|
# TrackMe fields quality
|
|
#
|
|
|
|
[trackme:fields_quality]
|
|
KV_MODE=json
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":
|
|
TIME_FORMAT=%s.%f
|
|
MAX_TIMESTAMP_LOOKAHEAD = 25
|
|
TRUNCATE=0
|
|
# TZ: this is not UTC in this case and is meant to be ingested through the collect command
|
|
|
|
#
|
|
# alert actions
|
|
#
|
|
|
|
# Issue#851: modular alerts actions logs should not set UTC timezone
|
|
|
|
[source::...trackme_smart_status_modalert.log*]
|
|
sourcetype = modular_alerts:trackme_smart_status
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
[source::...trackme_auto_ack_modalert.log*]
|
|
sourcetype = modular_alerts:trackme_auto_ack
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
[source::...trackme_free_style_rest_call_modalert.log*]
|
|
sourcetype = modular_alerts:trackme_free_style_rest_call
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
[source::...trackme_notable_modalert.log*]
|
|
sourcetype = modular_alerts:trackme_notable
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
[source::...trackme_stateful_alert_modalert.log*]
|
|
sourcetype = modular_alerts:trackme_stateful_alert
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
#
|
|
# TrackMe REST API
|
|
#
|
|
|
|
[source::...trackme_rest_api_*.log*]
|
|
sourcetype = trackme:rest_api
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
|
|
#
|
|
# TrackMe handler events
|
|
#
|
|
|
|
[source::...trackme_handler_events.log*]
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s\"
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state
|
|
|
|
#
|
|
# TrackMe events
|
|
#
|
|
|
|
[source::...trackme_state_events.log*]
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s\"
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state
|
|
|
|
#
|
|
# TrackMe audit events (new format introduced in 2.1.2, index time parsing happens here and is then redirected to trackme:audit)
|
|
#
|
|
|
|
[source::...trackme_audit_events.log*]
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-auditlog = trackme_audit_events_ingest_evals
|
|
|
|
|
|
# this applies at the overriden props level
|
|
[trackme:state]
|
|
KV_MODE = json
|
|
EVAL-tenant_id = mvdedup(tenant_id)
|
|
EVAL-object = mvindex(mvdedup(object), 0)
|
|
EVAL-object_category = mvdedup(object_category)
|
|
|
|
# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
|
|
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
|
|
EVAL-anomaly_reason{} = null
|
|
|
|
#
|
|
# TrackMe Workload versioning
|
|
#
|
|
|
|
[source::...trackme_wlk_version.log*]
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s\"
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object
|
|
|
|
#
|
|
# Required for the Workload
|
|
#
|
|
|
|
[source::...resource_usage.log*]
|
|
FIELDALIAS-app = data.search_props.app ASNEW app
|
|
|
|
[source::splunk-svc-consumer]
|
|
FIELDALIAS-app = search_app ASNEW app
|
|
|
|
[source::splunk-svc-search-attribution]
|
|
FIELDALIAS-app = search_app ASNEW app
|
|
|
|
#
|
|
# Events to metrics
|
|
#
|
|
|
|
# scoring metrics
|
|
[source::...trackme_scoring_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_scoring_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_scoring_metrics_index_redirect,trackme_scoring_metrics_field_extraction,trackme_scoring_metrics_field_extraction_json,trackme_scoring_metrics_metric_name
|
|
|
|
# sla state metrics
|
|
[source::...trackme_sla_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_sla_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_sla_metrics_index_redirect,trackme_sla_metrics_field_extraction,trackme_sla_metrics_field_extraction_json,trackme_sla_metrics_metric_name
|
|
|
|
# components register metrics
|
|
[source::...trackme_components_register_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_components_register_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_components_register_metrics_index_redirect,trackme_components_register_metrics_field_extraction,trackme_components_register_metrics_field_extraction_json,trackme_components_register_metrics_metric_name
|
|
|
|
# splk-dsm state metrics
|
|
[source::...trackme_splk_dsm_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_dsm_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_splk_dsm_metrics_index_redirect,trackme_splk_dsm_metrics_field_extraction,trackme_splk_dsm_metrics_field_extraction_json,trackme_splk_dsm_metrics_metric_name
|
|
|
|
# splk-dhm state metrics
|
|
[source::...trackme_splk_dhm_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_dhm_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_splk_dhm_metrics_index_redirect,trackme_splk_dhm_metrics_field_extraction,trackme_splk_dhm_metrics_field_extraction_json,trackme_splk_dhm_metrics_metric_name
|
|
|
|
# splk-mhm state metrics
|
|
[source::...trackme_splk_mhm_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_mhm_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_splk_mhm_metrics_index_redirect,trackme_splk_mhm_metrics_field_extraction,trackme_splk_mhm_metrics_field_extraction_json,trackme_splk_mhm_metrics_metric_name
|
|
|
|
# splk-flx metrics
|
|
[source::...trackme_flx_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_flx_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_flx_metrics_index_redirect,trackme_flx_metrics_field_extraction,trackme_flx_metrics_field_extraction_json,trackme_flx_metrics_metric_name
|
|
|
|
# splk-fqm metrics
|
|
[source::...trackme_fqm_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_fqm_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_fqm_metrics_index_redirect,trackme_fqm_metrics_field_extraction,trackme_fqm_metrics_field_extraction_json,trackme_fqm_metrics_metric_name
|
|
|
|
# splk-wlk metrics
|
|
[source::...trackme_wlk_metrics.log*]
|
|
sourcetype = metrics_log
|
|
KV_MODE = none
|
|
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
|
|
INDEXED_EXTRACTIONS = JSON
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\{
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=\"time\":\s
|
|
TIME_FORMAT=%s.%6N
|
|
TRUNCATE=0
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
TZ = UTC
|
|
|
|
METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_wlk_metrics_extract_schema
|
|
TRANSFORMS-metricslog = trackme_wlk_metrics_index_redirect,trackme_wlk_metrics_field_extraction,trackme_wlk_metrics_field_extraction_json,trackme_wlk_metrics_metric_name
|
|
|
|
#
|
|
# TrackMe custom commands
|
|
#
|
|
|
|
# per command definition
|
|
|
|
[source::...trackme_splunkremotesearch.log*]
|
|
sourcetype = trackme:custom_commands:splunkremotesearch
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme.log*]
|
|
sourcetype = trackme:custom_commands:trackme
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_get_conf.log*]
|
|
sourcetype = trackme:custom_commands:trackmegetconf
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmepurgeaudit.log*]
|
|
sourcetype = trackme:custom_commands:trackmepurgeaudit
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_tracker_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmetrackerexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_cimtracker_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmecimtrackerexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_sampling_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmesamplingexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_elastic_sources_shared_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmeelasticexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_merge_splk_dhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmemergesplkdhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_extract_splk_dhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmeextractsplkdhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_extract_splk_cim.log*]
|
|
sourcetype = trackme:custom_commands:trackmeextractsplkcim
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_get_flipping.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkgetflipping
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_ack_tracker.log*]
|
|
sourcetype = trackme:custom_commands:trackmeacktracker
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_gen_notable.log*]
|
|
sourcetype = trackme:custom_commands:trackmegennotable
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_collect.log*]
|
|
sourcetype = trackme:custom_commands:trackmecollect
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_collect_health.log*]
|
|
sourcetype = trackme:custom_commands:trackmecollecthealth
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_load_tenants_summary.log*]
|
|
sourcetype = trackme:custom_commands:trackmetenantstatus
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_load_tenants.log*]
|
|
sourcetype = trackme:custom_commands:trackmeload
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_merge_splk_mhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmemergesplkmhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_extract_splk_mhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmeextractsplkmhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_expand_splk_mhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmeexpandsplkmhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_set_rules.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierssetrules
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_cim_set_rules.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierscimsetrules
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_get_rules.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutliersgetrules
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_cim_get_rules.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierscimgetrules
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_get_data.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutliersgetdata
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_train.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierstrain
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_cim_train.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierscimtrain
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_render.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutliersrender
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_cim_render.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierscimrender
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_train_helper.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierstrainhelper
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_tracker_helper.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierstrackerhelper
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_outliers_cim_tracker_helper.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutlierscimtrackerhelper
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_tracker_health.log*]
|
|
sourcetype = trackme:custom_commands:trackmetrackerhealth
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_flx_parse.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkflxparse
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_flx_converging.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkflxconverging
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_wlk_parse.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkwlkparse
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_opsstatus_expand.log*]
|
|
sourcetype = trackme:custom_commands:trackmeopsstatusexpand
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_stsummary_splk_dhm.log*]
|
|
sourcetype = trackme:custom_commands:trackmestsummarysplkdhm
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_persistentfields.log*]
|
|
sourcetype = trackme:custom_commands:trackmepersistentfields
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_delayed_feeds_inspector.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkfeedsdelayed
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splkwlk_getreportsdef_gen.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportsdefgen
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splkwlk_getreportsdef_stream.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportsdefstream
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splkwlk_getreportowner_stream.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportowner
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_genjson_metrics.log*]
|
|
sourcetype = trackme:custom_commands:trackmegenjsonmetrics
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splkwlk_inactive_inspector.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkwlkinactiveinspector
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_extract_json_metrics.log*]
|
|
sourcetype = trackme:custom_commands:trackmeextractjsonmetrics
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmereplicator.log*]
|
|
sourcetype = trackme:custom_commands:trackmereplicator
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_replica_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmereplicaexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmeautogroup.log*]
|
|
sourcetype = trackme:custom_commands:trackmeautogroup
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_pretty_json.log*]
|
|
sourcetype = trackme:custom_commands:trackmeprettyjson
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_yield_json.log*]
|
|
sourcetype = trackme:custom_commands:trackmeyieldjson
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_oneshot_executor.log*]
|
|
sourcetype = trackme:custom_commands:trackmeoneshotexecutor
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_flx_get_usecases.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkflxgetuc
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splkflx_inactive_inspector.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkflxinactiveinspector
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_soar.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplksoar
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_soar_trackmesplksoarlookup*]
|
|
sourcetype = trackme:custom_commands:trackmesplksoarlookup
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_cmdb.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkcmdb
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_stateful.log*]
|
|
sourcetype = trackme:custom_commands:trackmestateful
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmesplkoutliersexpand.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkoutliersexpand
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmesplkflxexpandextra.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkflxexpandextra
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_setcurrent_dcounthost_stream.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplksetcurrentdcounthost
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_adaptive_delay.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkadaptivedelay
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id, trackme_indexed_kv_object
|
|
TZ = UTC
|
|
|
|
[source::...trackme_return_maintenance_kdb.log*]
|
|
sourcetype = trackme:custom_commands:trackmereturnmaintenancedb
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_decision_maker.log*]
|
|
sourcetype = trackme:custom_commands:trackmedecisionmaker
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmesplktags.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplktags
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmesplkpriority.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkpriority
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmesplkslaclass.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkslaclass
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_general_health_manager.log*]
|
|
sourcetype = trackme:custom_commands:trackmegeneralhealthmanager
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_get_collection.log*]
|
|
sourcetype = trackme:custom_commands:trackmegetcoll
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_testperf_get_collection.log*]
|
|
sourcetype = trackme:custom_commands:trackmetestperfgetcoll
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_get_logicalgroups.log*]
|
|
sourcetype = trackme:custom_commands:trackmegetlogicalgroups
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmehashobject.log*]
|
|
sourcetype = trackme:custom_commands:trackmehashobject
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_get_kos.log*]
|
|
sourcetype = trackme:custom_commands:trackmegetkos
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_check_backups.log*]
|
|
sourcetype = trackme:custom_commands:trackmecheckbackups
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_feeds_delayed_inspector.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkfeedsdelayedinspector
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmetestremoteaccounts.log*]
|
|
sourcetype = trackme:custom_commands:trackmetestremoteaccounts
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
TRUNCATE=0
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmefieldsquality.log*]
|
|
sourcetype = trackme:custom_commands:trackmefieldsquality
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmefieldsqualityextract.log*]
|
|
sourcetype = trackme:custom_commands:trackmefieldsqualityextract
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmefieldsqualitygensummary.log*]
|
|
sourcetype = trackme:custom_commands:trackmefieldsqualitygensummary
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmefieldsqualitygendict.log*]
|
|
sourcetype = trackme:custom_commands:trackmefieldsqualitygendict
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmepushdatasource.log*]
|
|
sourcetype = trackme:custom_commands:trackmepushdatasource
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmeexpandtokens.log*]
|
|
sourcetype = trackme:custom_commands:trackmeexpandtokens
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_splk_fqm_parse.log*]
|
|
sourcetype = trackme:custom_commands:trackmesplkfqmparse
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
[source::...trackme_trackmeyamlpath.log*]
|
|
sourcetype = trackme:custom_commands:trackmeyamlpath
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
|
|
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
|
|
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
|
|
TZ = UTC
|
|
|
|
# search_telemetry
|
|
# Splunk generates date time parsing erros with the search telemetry due to a timestamp missing in the second json payload of a same json generated
|
|
# This seems to be a Splunk core issue with telemetry and the root cause was not idenfitied
|
|
# however, this can be workaround with a source based stanza forcing the a date time config
|
|
|
|
[source::.../var/run/splunk/search_telemetry/...trackme...telemetry.json]
|
|
TRUNCATE = 99999
|
|
DATETIME_CONFIG = CURRENT
|