Getting Data In

Thread Info

Remove Hosts w/ Zero Events

I recently upgraded to 4.1.2 from 3.4.x. I needed to remove several hosts from our index, so I followed the instructi...

by Explorer in

Is it possible to reindex result of splunk search result to a new index file and source type?

It it possible to get the result of current splunk index to a new index files as a new source type? [ Already inde...

by Communicator in

Is there a way to route data being sent to a UDP port to a specific index based on the source host?

My Splunk server is listening to UDP port 514 for syslog information. How can I route data to a given index based on ...

by Explorer in

When a file is already set to index to splunk, and that file gets overwritten with updates, meaning instead of file being appended, does splunk smart enough to not to reindex already indexed data and only index what's newly aded?

Instead of file being appended, if the file gets overwritted or rewrited, does splunk re-evaluates the entire file da...

by Communicator in

Can I linebreak indexed data that's not correctly linebroken?

I have seen manytime where Splunk didn't copped either multi or single line data correctly ending up with events that...

by Communicator in

How can I extract the DATE from the middle of an event?

I have an ISA web log of the following format. Splunk doesn't correctly identify the timestamp in every event, even t...

by Splunk Employee in

fschange creating event for each line of file.

I am trying to implement file integrity monitoring. I have configured fschange as follows: [fschange:/opt/bea/10_s...

by Explorer in

how do I change a host when seeing multiple hosts?

I see the same host in my Summary page in Search app with same event count. They are the same host but show up lik...

by Engager in

What's the limit of index count per indexer?

Hi everybody At the moment I've got about 170 indexes on my indexer. I What's the best practice limit of number...

by Contributor in

What is the purpose of the _s _st and _h indexed fields?

Can someone shed light on the purpose of the _s _st and _h indexed fields? These seem to correspond to source, source...

by Super Champion in

Agent vs Agentless event gathering on Windows

Regarding agent vs agentless data / event gatering, WMI (agentless) seems easier to setup from within Splunk to pull ...

by Splunk Employee in

How to take advantage of a multi-core indexer?

My indexer has a Intel Xeon X5570 which has four cores. http://ark.intel.com/Product.aspx?id=37111 How can I ma...

by SplunkTrust in

Who is forwarding data

How can I tell which servers in my enterprise are forwarding to the master server. We do automated installs of vm's a...

by Explorer in

Splunking my Checkpoint firewall logs

Can Splunk index events from my Checkpoint firewall logs? If so, how can I set that up?

by Splunk Employee in

Use the Deployment Manager to change Splunk Forwarding agent passwords?

Currently, all agents installed on hosts default to 'changeme' and this credential is still used when the forwarder i...

by Explorer in

Forwarded events are showing on CLI output during CLI search operation.

I had configured splunk forwarder and receiver in a Linux system as per the Admin manual. I tried searching the forwa...

by Engager in

index settings using "auto" - what is my bucket size?

We are on 4.05 and are using the default of memPoolMB = auto in indexes.conf. Is there a way I can find out what size...

by Path Finder in

If using the LWF, what do I need to enable to send syslog (udp) to a 3rd party system?

Referenced Doc: http://www.splunk.com/base/Documentation/4.1/Admin/Moreaboutforwarders I need to be able to send d...

by Path Finder in

I've set up a forwarder but I'm not receving any events on the splunk indexer.

I've verified that the indexer (receiver) is the same or later version of Splunk as the forwarder. What log or config...

by Splunk Employee in

Splunk 3.4.4 LWF doesn´t process data until logrotate happens. Why?

We have on four Linux SLES10_64 Servers Splunk 3.4.4. Forwarders installed. Usually our production logs produce a con...

by Contributor in

how do i segregate data from one splunk forwarder in a seperate index?

I have one splunk forwarder I need to segregate from other indexes. I have created its own index and I need to know h...

by Path Finder in

Too many license violations, how do I get searches working again?

Currently, when I try to run a search in Splunk, I get the following error message: "Error in 'UnifiedSearch': Yo...

by Communicator in

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Hello, i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one ...

by Contributor in

Splunkweb crashes, although splunkd is still running, is this a known problem?

This has happened twice so far in a week. Users begin contacting me that they are unable to log in. Both times ...

by Explorer in

overriding sourcetype with sourcetype= in props.conf

Hello, when using the following setup in props.conf, i was able to get the sourcetypes I want. [source::/var/splun...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Remove Hosts w/ Zero Events

Is it possible to reindex result of splunk search result to a new index file and source type?

Is there a way to route data being sent to a UDP port to a specific index based on the source host?

When a file is already set to index to splunk, and that file gets overwritten with updates, meaning instead of file being appended, does splunk smart enough to not to reindex already indexed data and only index what's newly aded?

Can I linebreak indexed data that's not correctly linebroken?

How can I extract the DATE from the middle of an event?

fschange creating event for each line of file.

how do I change a host when seeing multiple hosts?

What's the limit of index count per indexer?

What is the purpose of the _s _st and _h indexed fields?

Agent vs Agentless event gathering on Windows

How to take advantage of a multi-core indexer?

Who is forwarding data

Splunking my Checkpoint firewall logs

Use the Deployment Manager to change Splunk Forwarding agent passwords?

Forwarded events are showing on CLI output during CLI search operation.

index settings using "auto" - what is my bucket size?

If using the LWF, what do I need to enable to send syslog (udp) to a 3rd party system?

I've set up a forwarder but I'm not receving any events on the splunk indexer.

Splunk 3.4.4 LWF doesn´t process data until logrotate happens. Why?

how do i segregate data from one splunk forwarder in a seperate index?

Too many license violations, how do I get searches working again?

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Splunkweb crashes, although splunkd is still running, is this a known problem?

overriding sourcetype with sourcetype= in props.conf

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025 🎉

Getting Data In

Are you a member of the Splunk Community?

Discussions