Getting Data In

Thread Info

Revisiting Splunk

I am revisiting splunk to see if it will meet our goals. Right now I am working on the initial index of our data gath...

by New Member in

Light Forwarder, Syslog & Fishbucket Problem

Our indexer and all forwarders are running 4.1.2. Recently we developed a need to send events from our forwarders in ...

by Splunk Employee in

indexing volume vs data size received

What is the relationship between size of logs received by Splunk indexing servers versus indexing volume? On the load...

by Splunk Employee in

Need deployment server to assign hostnames dynamically via inputs.conf

I have a deployment server app with a single inputs.conf file. [tcp://localhost:9997] sourcetype = tcp-raw index =...

by Splunk Employee in

why isn't my static host configuraton in inputs.conf being honored?

I have the following in inputs.conf: [udp://32004] host = custom_host connection_host = n...

by Contributor in

External API for 4.1 - will my application still work?

Hi, I have a development support question. We have an application that is integrated with splunk. We have a C...

by Communicator in

Delete index foobar info older than 2 weeks.

we only want to save the log info for 2 weeks. I tried to set this up by modifying the frozen time, but it doesn’t se...

by Splunk Employee in

Do splunked events, that are gzip'd on disk, stay that way while I am searching them?

Suppose I splunk a file and it is gzip'd on disk under the appropriate Splunk index directory. Then let's say I c...

by Splunk Employee in

Error 'Could not find all of the specified lookup fields in the lookup table.'

Forwarding a question: "... attempting to setup a lookup table. Each time I save an automatic lookup it always ret...

by Splunk Employee in

Will Splunk automatically create an index listed in inputs.conf?

If our app's inputs.conf uses an index other than "main" (e.g. a custom index for our app) does our app's setup UI (o...

by Contributor in

Controlling forwarder TCP connections to indexer

Does a forwarder keep using the initial TCP connection to the indexing server, or does it close the connection after ...

by Splunk Employee in

Web Logs Analysis ( apache )

Hi there. I'm new to splunk. Having a bit of trouble getting my head around it ( I know SQL well ) . I want to get...

by Engager in

Inputs are all enabled but Search dashboard is showing 0 sources and 0 sourcetypes

I am perplexed with what I'm experiencing right now. I have all the file inputs enabled for monitor but I'm not se...

by Splunk Employee in

Rolled log file not being indexed

I monitor a log file (access_log) that gets rolled every night at 1 am using a copy command "cp /dev/null access_toda...

by Splunk Employee in

How do I ensure there is no event overlap in a scripted input?

I am creating an app for Splunk 4.1 that has a scripted input that retrieves data from a database. At first run, it w...

by Splunk Employee in

WMI on windows 2000

Hi, I am collecting event logs thru WMI for Windows 2000 and 2003 servers, for 2003 everything seem ok but for 200...

by Engager in

How do keep splunk from removing syslog priority fields?

How do keep splunk from removing syslog priority fields? They are removed once indexed into splunk.

by Splunk Employee in

Lookup table does not exist error on update to 4.1

Since I updated our server to 4.1.2 I'm seeing the following error with most searches. The lookup table 'sid_...

by Path Finder in

blacklist in batch stanza

Can I use blacklist in a batch stanza? I couldn't find anything in the documentation saying otherwise. Thanks,

by Communicator in

How do you exclude dead machines off the Lost Forwarders search.

I use the recommended search below to find lost forwarders after a 24hr period. http://www.splunk.com/wiki/Deploy...

by Explorer in

Too many open files on forwarders

I'm starting to get a lot of these errors on my forwarders. Any suggestions? Pushing /etc/security/limits.conf doesn'...

by Communicator in

source files associated with a host

How can I easily search through Splunk to figure out which sources are associated with a specific host? I know I ...

by Path Finder in

Yet Another Problem Sending Events to the nullQueue

We are using "heavy" forwarders, but I have the following config on both the forwarder and the indexer but the events...

by Communicator in

stopping all listening ports?

reposting for a user over on the forums: I bounced my indexer and now my forwarders are unable to connect. I just...

by Splunk Employee in

How to forward internal events through two forwarders?

I am having trouble getting _internal and _audit to be forwarder properly when being passed through more than one for...

by Super Champion in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Revisiting Splunk

Light Forwarder, Syslog & Fishbucket Problem

indexing volume vs data size received

Need deployment server to assign hostnames dynamically via inputs.conf

why isn't my static host configuraton in inputs.conf being honored?

External API for 4.1 - will my application still work?

Delete index foobar info older than 2 weeks.

Do splunked events, that are gzip'd on disk, stay that way while I am searching them?

Error 'Could not find all of the specified lookup fields in the lookup table.'

Will Splunk automatically create an index listed in inputs.conf?

Controlling forwarder TCP connections to indexer

Web Logs Analysis ( apache )

Inputs are all enabled but Search dashboard is showing 0 sources and 0 sourcetypes

Rolled log file not being indexed

How do I ensure there is no event overlap in a scripted input?

WMI on windows 2000

How do keep splunk from removing syslog priority fields?

Lookup table does not exist error on update to 4.1

blacklist in batch stanza

How do you exclude dead machines off the Lost Forwarders search.

Too many open files on forwarders

source files associated with a host

Yet Another Problem Sending Events to the nullQueue

stopping all listening ports?

How to forward internal events through two forwarders?

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions