Just a few notes on settings that everyone should be thinking about when creating custom sourcetypes or technology add-ons in Splunk...
Data Parsing Do you have these configurations in props.conf? SHOULD_LINEMERGE = LINE_BREAKER = MAX_TIMESTAMP_LOOKAHEAD = TIME_PREFIX = TIME_FORMAT = TRUNCATE = More Data Parsing... ANNOTATE_PUNCT = false (if you don't need the punct field) TZ = (if it's not part of the timestamp in your data) CHARSET = UTF-8 (usually) NO_BINARY_CHECK = true KV_MODE = Check out Splunk's documentation on props.conf for help with these settings. Field Extractions Are you extracting fields for your users at data on-boarding? You should be! Splunk tends to grow organically and if your data isn't well-groomed when you bring it on, it may never be. Setup your users for success by identifying the fields they need and getting them extracted when you on-board their data. Be sure to use either EXTRACT in props.conf or a REPORT in props.conf and corresponding REGEX/FORMAT in transforms.conf. For CIM compliance, use this as a guide: http://docs.splunk.com/Documentation/CIM/4.12.0/User/Howtousethesereferencetables Or, consider using the Splunk Add-on Builder A word on community-built/3rd party apps and addons....
0 Comments
|
AuthorMason Morales Archives
October 2020
Categories |