Getting Data In

Discussions

Thread Info

Why does linebreaking regex have no capturing groups?

Hi Need help to fix the below error My Props : Sample events:

by Path Finder in

Extracting a value from MQTT string before parsing to JSON

I have an requirement to extract a value from an mqtt string before i parse it to json.Initially i was using MQTT Mod...

by Engager in

Can Windows UF send some EventCodes as XML and all othesr as Classic?

Short question: can I configure my window UF inputs.conf to collect Security Event logs as renderXML=false , unless i...

by Engager in

How do I set timezone properly in props.conf?

Our data source is generating syslog data using UTC. Time in the syslog header is formatted as Oct 22 15:51:14. We ma...

by New Member in

Running rsyslog and Splunk Enterprise on the same machine

Hi, I have a small lab (air gapped) with about 2 Linux servers not including the Splunk server and 25 Windows machin...

by Communicator in

How to run a scripted input on only one of several heavy forwarders?

We have a Splunk app that includes multiple scripted inputs.The app is deployed to 15 heavy forwarders, but we want o...

by Motivator in

_time is being set to mtime instead of parsed event time

I have the following source log files:[root@lts-reporting ~]# head /nfs/LTS/splunk/lts12_summary.log2014-07-01T00:00:...

by Engager in

Please help me out to understand the below configs

We have one index os_linux which has 2 source type and i see props and transform is written .can you help me to under...

by Engager in

Missing per_*_thruput metrics on 9.3.x Universal forwarders.

Apply following workaround in default-mode.confAdditionally you can also push this change via DS push across thousand...

by Splunk Employee in

How to Splunk the SAP Security Audit Log

The post question did include the answer, but then it could not be marked as an answer, therefore I pushed the conten...

by Contributor in

Unable to get logs in splunk from mulesoft

Hi, I have created a new token and index in splunk for my mulesoft project. These are the configurations I have don...

by Loves-to-Learn in

Akamai add-on logs are not populating.

We have installed Akamai add-on (https://splunkbase.splunk.com/app/4310) on our HF and installed Java and configured ...

by Communicator in

Unable to send events through log4j in Spark to Splunk

We want to use splunk-library-javalogging to send logs via Log4j to Splunk Service Environment: Spark with log4...

by Loves-to-Learn in

Problem with DC windows Secure logs sending

Hello team! We have a problem with sending data from several Domain Controllers to our splunk instance. We are coll...

by Loves-to-Learn Lots in

How to determine if data sent to HEC came in on Event or Raw endpoint

Is there any way to tell whether data coming into Splunk's HEC was sent to the event or raw endpoint?You can't really...

by Communicator in

add customerID to incoming data (event & metric)

Hello, We have a few hundred hosts and a handful of customers. I have a csv file with serverName,customerID. I've...

by Path Finder in

CIM mapping CrowdStrike Falcon FileVantage (FIM) logs to a daamodel.

Hi All, Has anyone managed to map CrowdStrike Falcon FileVantage (FIM) logs to a Datamodel; if so could you share y...

by Contributor in

Palo alto Strata logging service logs

Hi, I have onboarded palo-alto ...

by Observer in

Why is linecount 2 when it's clearly 1?

For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?

by Motivator in

Filter/modify data prior to ingestion?

Not sure this is even possible, but I'll ask anyway... I have application(s) that are sending JSON data into Splunk...

by Loves-to-Learn Lots in

Unable to view value from events

Hi, Unsure what is the root cause as i was trying to do some minor adjustment to ignore the [ ] at the transforms.c...

by Path Finder in

How to avoid indexing events twice

Hi, I'm facing an issue where the same data gets indexed multiple times every time the JSON file is pulled from the...

by Path Finder in

User Disable

In earlier versions of splunk i remember there use to be an option to disable active user and it will then show as st...

by Engager in

Typo3 logs to Splunk

Hi, I need recommendations on typo3 logs source type. Be default, I set source type as "typo3" in inputs.conf but...

by Path Finder in

How to split a json array into multiple events?

I'm looking for a way to split a JSON array into multiple events, but it keeps getting indexed as a single event. I...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why does linebreaking regex have no capturing groups?

Extracting a value from MQTT string before parsing to JSON

Can Windows UF send some EventCodes as XML and all othesr as Classic?

How do I set timezone properly in props.conf?

Running rsyslog and Splunk Enterprise on the same machine

How to run a scripted input on only one of several heavy forwarders?

_time is being set to mtime instead of parsed event time

Please help me out to understand the below configs

Missing per_*_thruput metrics on 9.3.x Universal forwarders.

How to Splunk the SAP Security Audit Log

Unable to get logs in splunk from mulesoft

Akamai add-on logs are not populating.

Unable to send events through log4j in Spark to Splunk

Problem with DC windows Secure logs sending

How to determine if data sent to HEC came in on Event or Raw endpoint

add customerID to incoming data (event & metric)

CIM mapping CrowdStrike Falcon FileVantage (FIM) logs to a daamodel.

Palo alto Strata logging service logs

Why is linecount 2 when it's clearly 1?

Filter/modify data prior to ingestion?

Unable to view value from events

How to avoid indexing events twice

User Disable

Typo3 logs to Splunk

How to split a json array into multiple events?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!