Getting Data In

Discussions

Thread Info

The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Search is index="_internal" source="*metrics.log" group="queue" | timechart perc90(current_size) by name Results a...

by Explorer in

Why can't my Splunk instance read a file on another machine?

I'm trying to index a file on a mapped network drive, but I keep getting seeing 'Access is denied' in splunkd.log. I ...

by Splunk Employee in

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9...

by Explorer in

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

I have a bunch of Lightweight Forwarders (LWF) forwarding to my central indexer. What happens to my events when there...

by Champion in

Why do I get an error about sid_lookup after upgrading to 4.1?

I've just upgraded to 4.1 and now I'm getting an error when I search saying: The lookup table 'sid_lookup' does no...

by Path Finder in

How do I forward data to a specific index?

How do I go about configuring splunk forwarders running on Linux to forward to a specific index for Linux-related inf...

by Explorer in

How can I trigger migration of buckets from Warm to Cold?

If the script to roll the hotDB to the warmDB is "| debug cmd=roll index=main", would there be one for rolling the wa...

by Contributor in

Search based on newly indexed logs

In my office we have a script on our log servers that monitors the hosts sending logs and alerts us if a machine star...

by Path Finder in

How to get the correct gid/uid on windows fschange events

All of my events show up with gid=-1,uid=-1. Is this a bug or am I doing something wrong?

by Communicator in

Why isn't splunkd.log getting forwarded (in 4.0.x, fixed in 4.1) ?

UPDATE: This appears to be a bug specifically related to 4.0.10. The following is a work around in system/local/input...

by Communicator in

How can I easily filter or limit my search down to a specific group of hosts?

I have lots of hosts in my environment, but I only want to search across a few of them from time to time. Can I someh...

by Splunk Employee in

Configuring to support searches for events timestamped in future

We have an global application hosted within a VM environment feeding a common Splunk index server. However the server...

by Explorer in

How do I prevent splunk from launching a separate cmd window on windows 7 (and others?)

Everytime I run a splunk command on windows 7, the command runs in a separate window and closes before I can see what...

by Communicator in

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Hai There, I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of device...

by Contributor in

Do sinkholes work on forwarders?

Does a sinkhole work on all types of forwarders?

by Splunk Employee in

How to disable hostname chaining?

How to disable hostname chaining? Splunk picks the chained hostname rather than the original.

by Splunk Employee in

How do I convert from a light forwarder to a full forwarder?

I have a light forwarder (v4.0.7) I want to change this to a forwarder instead of a light forwarder. The reason being...

by Path Finder in

Why doesn't outputs.conf get migrated from 3.4.x->4.0.x?

We're upgrading our forwarders and we always get the warning that outputs.conf cannot be migrated. However, simply mo...

by Communicator in

How to restore data in HA environment?

When we build 2 Splunk indexing servers for High Availablity, 2 Splunk indexing servers may receive the same log data...

by Path Finder in

How do I setup Splunk to index log4j with org.apache.log4j.RollingFileAppender

We plan to use Splunk to keep log for several java application including web server like Tomcat. Those application ar...

by Path Finder in

Why is there a gap in my metrics.log?

Why would there be a gap of logged events in metrics.log between 01-21-2010 15:47:39.421 and 01-22-2010 08:53:28.231 ...

by Splunk Employee in

How to override Splunk renaming sourcetypes xxx-1 if field name header encountered?

This is related to an earlier question: http://answers.splunk.com/questions/490/why-do-variations-in-sourcetype-appea...

by Builder in

How long do authentication tokens stay valid?

I'm concerned about CLI and REST authentication tokens. How long do those stay valid and is it configurable?

by Path Finder in

How are time zones handled in distributed searches?

Are queries that go to two index servers in different time zones handled correctly? I'm assuming it does, but want to...

by Path Finder in

How to add hosts?

I do not see in any of the manuals or Help how to add host servers. You label the targets as Host on the main page bu...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Why can't my Splunk instance read a file on another machine?

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

Why do I get an error about sid_lookup after upgrading to 4.1?

How do I forward data to a specific index?

How can I trigger migration of buckets from Warm to Cold?

Search based on newly indexed logs

How to get the correct gid/uid on windows fschange events

Why isn't splunkd.log getting forwarded (in 4.0.x, fixed in 4.1) ?

How can I easily filter or limit my search down to a specific group of hosts?

Configuring to support searches for events timestamped in future

How do I prevent splunk from launching a separate cmd window on windows 7 (and others?)

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Do sinkholes work on forwarders?

How to disable hostname chaining?

How do I convert from a light forwarder to a full forwarder?

Why doesn't outputs.conf get migrated from 3.4.x->4.0.x?

How to restore data in HA environment?

How do I setup Splunk to index log4j with org.apache.log4j.RollingFileAppender

Why is there a gap in my metrics.log?

How to override Splunk renaming sourcetypes xxx-1 if field name header encountered?

How long do authentication tokens stay valid?

How are time zones handled in distributed searches?

How to add hosts?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

How to Execute a Python Script via a Button and Di...

No such file or directory: 'java' adding JMX acco...

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

Configuring Splunk OTel Collector for Linux/Window...

Upload failed with ERROR: Read Timeout