Data Onboarding part II Flashcards
What are the 7 + 2 attributes of props.conf?
- TIME_PREFIX
- MAX_TIMESTAMP_LOOKAHEAD
- TIME_FORMAT
- TZ
- SHOULD_LINEMERGE
- LINE_BREAKER
- TRUNCATE
- BREAK_ONLY_BEFORE
- BREAK_ONLY_BEFORE_DATE
What does TIME_PREFIX do?
It is used to tell Splunk when to start to look for timestamp in your event. What regex precedes the timestamp. (kind off anchor)
What does MAX_TIMESTAMP_LOOKAHEAD do?
enables splunk to run more efficently because it will not have to spend any extra time and resources to find the timestamp. You can tell Splunk your timestamp is 20 characters into your event so Splunk will not wast any time looking through the entire event.
Set a value for the MAX_TIMESTAMP_LOOKAHEAD setting to specify how far into an event past the TIME_PREFIX location to look for the timestamp.
By constraining the amount of tine to look ahead, you can improve both the accuracy and performance in determining and extracting the timestamp.
What does TZ do?
it stand for time zone. It sets appropriate time zone for the host, so that the time then shows up correctly on your search head.
What does SHOULD_LINEMERGE do?
It tells Splunk what to do with multiple lines. Is Splunk supposed to merge multiple lines into one event? Or should it treat each line as a new event? when you have multi-lined events, or some events that have line breaks that belong to the same evenet, this should be set as “true”. It is generally set to false, and used along with LINE_BREAKER to speed up processing.
What does LINE_BREAKER do?
It tells Splunk where to break the data to start a new event. This is important, because if this is not set correctly, you can have data that is spread across multiple events. Line breaks uses regex to determine the pattern so when Splunk comes across this pattern Splunk knows that this signals the end of one event and the beginning of the next one. It should be used in conjuction with SHOULD_LINEMERGE=false
What does TRUNCATE do?
It tells Splunk where to limit the size of event in bytes. By default Splunk limits the size of data to 10 000 bytes. Ten truncate to 999999 depending on your event size, so that the event does not truncate early. You can also use this in the case at extremely verbose data where you can only wish to capture part of the event and discard the rest.
What does BREAK_ONLY_BEFORE do?
Detects a specific regex pattern, and will break event if the pattern is somewhere in the next line.
What does BREAK_ONLY_BEFORE_DATE do?
If It detects a date in a line, it will break the event before that line.
This is the “reversed” card. It first displays you the answer and you have to guess the question part of it.
It is used to tell Splunk when to start to look for timestamp in your event. What regex precedes the timestamp. (kind off anchor)
What does TIME_PREFIX do?
This is the “reversed” card. It first displays you the answer and you have to guess the question part of it.
enables splunk to run more efficently because it will not have to spend any extra time and resources to find the timestamp. You can tell Splunk your timestamp is 20 characters into your event so Splunk will not wast any time looking through the entire event.
Set a value for the MAX_TIMESTAMP_LOOKAHEAD setting to specify how far into an event past the TIME_PREFIX location to look for the timestamp.
By constraining the amount of tine to look ahead, you can improve both the accuracy and performance in determining and extracting the timestamp.
What does MAX_TIMESTAMP_LOOKAHEAD do?
This is the “reversed” card. It first displays you the answer and you have to guess the question part of it.
it stand for time zone. It sets appropriate time zone for the host, so that the time then shows up correctly on your search head.
What does TZ do?
This is the “reversed” card. It first displays you the answer and you have to guess the question part of it.
It tells Splunk what to do with multiple lines. Is Splunk supposed to merge multiple lines into one event? Or should it treat each line as a new event? when you have multi-lined events, or some events that have line breaks that belong to the same evenet, this should be set as “true”. It is generally set to false, and used along with LINE_BREAKER to speed up processing.
What does SHOULD_LINEMERGE do?
This is the “reversed” card. It first displays you the answer and you have to guess the question part of it.
It tells Splunk where to break the data to start a new event. This is important, because if this is not set correctly, you can have data that is spread across multiple events. Line breaks uses regex to determine the pattern so when Splunk comes across this pattern Splunk knows that this signals the end of one event and the beginning of the next one. It should be used in conjuction with SHOULD_LINEMERGE=false
What does LINE_BREAKER do?