Getting Data In

Thread Info

How to search with regex and status count to show in a table?

Hi, need some help in crafting a search query that could get count by a regex and display counts in a table. ...

by Explorer in

Having Difficulty Understanding Stanza in props.conf?

Hey all, I have a relatively dumb question. I'm trying to familiarize myself with Splunk's props.conf and transfor...

by Path Finder in

Why does one log contains multiple messages with same timestamp?

Hi guys, I was wondering if some one could please give me a hand on this. We have written a custom TA to extract l...

by Path Finder in

Sourcetypes with Docker and HTTP Event Collector

(Trying to pull a few similar discussions together and recorded for posterity) Challenge The current Docker Log...

by Splunk Employee in

Windows Directory Monitoring: How to get file monitoring activity returned to my splunk server?

Hi all, Splunk newbie with what I hope is a simple question...I have a UF installed on my windows file server, an...

by Engager in

Can't Extract CEF Fields in Distributed Environment

Hello to all.I am using the CEF Extraction TA for extracting CEF fields in a FireEye log. When I test this on a stan...

by Builder in

Duplicate logs in Splunk for multiple sourcetypes?

Hi All, Good day, we are getting Duplicate logs in Splunk for multiple sources with same event example below ho...

by Path Finder in

Splunk Indexing is Paused Internal Grace Period?

Hi All We are Using the Splunk Enterprise version with the Perpetual License Model with Index Capacity of 5 GB . W...

by New Member in

Getting data into Splunk from Nagios-LS

Howdy, I was wondering if anyone has any guidance on how to ingest data from Nagios Log Server? Prior to my arriv...

by Loves-to-Learn in

How to configure the forwarding of Microsoft Windows Print Server logs?

Hi Guys, I have installed universal forwarder on Print server, Windows Server 2012 R2 and configured the receiver IP ...

by New Member in

Regarding Windows Print Monitoring, what do each of the "operation" field values mean, i.e., add, set, baseline?

Regarding Windows Print Monitoring, what do each of the "operation" field values mean, i.e., add, set, baseline? F...

by Engager in

Why are events with equal timestamps merged into one event?

I have a few files in which the log events happen to not be in chronological order. Specifically, an event with sa...

by Path Finder in

How to remove logs from specific sourcetype being indexed?

Hi Everyone, Im trying to stop the following index from being indexed into Splunk using the props/transforms confs...

by Path Finder in

Can a Heavy-Forwarder just raw forward and not parsing?

Hi all. Like the subject, can i tell an HF not to PARSE the events, just do a banal tcp forwarding of the raw data...

by Builder in

How to send aws eventbridge events to a specific index on splunk cloud

We have been trying to ingest aws eventbridge events to splunk cloud using API destination partners provided by aws b...

by New Member in

Does the data flow through those same queues at the indexer?

If an HF is used for a intermediate / aggregation tier and the data is parsed, what does the ingestion pipeline look...

by Communicator in

Why does UF still require clientCert when requireClientCert is already disable in indexer?

Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert...

by Explorer in

How to forward an index to another Splunk instance (n00b)?

I found this Index and Forward data into another splunk instance and then found the current version of the reference...

by Explorer in

How to add multiple _meta from one field?

Hi all, I want to have on a HF (8.1.4) multiple _meta of one field values in one stanza.Any sugestion how?Example:...

by Explorer in

Upgraded Indexer shuts down pipeline and has to be restarted?

We have recently upgraded an indexer from 8.2.6 to 9.0.2 (running on Windows) and since then we have been plagued by ...

by Communicator in

How to blacklist server from heavy forwarder?

Currently my Heavy Forwarder is receiving unwanted logs from a lot of different devices, and it is taking up a lot of...

by Engager in

inputs.conf blacklist format- Is there a format that needs to be adhered to when using a blacklist with regex?

is there a format that needs to be adhered to when using a blacklist with regex? I am trying to format "New Proce...

by Explorer in

Telegraf - How to solve this HEC SSL Issue?

Hi, I am trying to use Telegraf to send data to Splunk HEC. However not sure how to get past the certificate issue. ...

by New Member in

Can a Heavy Forwarder send cooked but unparsed data?

Is it possible to have a heavy forwarder send unparsed (not raw) cooked data? I have a server which needs to forward ...

by Explorer in

Recommended settings for HEC batch?

When sending batch data to HEC server, with multiple events per request, is it better to send large (10k-100k), mediu...

by Contributor in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to search with regex and status count to show in a table?

Having Difficulty Understanding Stanza in props.conf?

Why does one log contains multiple messages with same timestamp?

Sourcetypes with Docker and HTTP Event Collector

Windows Directory Monitoring: How to get file monitoring activity returned to my splunk server?

Can't Extract CEF Fields in Distributed Environment

Duplicate logs in Splunk for multiple sourcetypes?

Splunk Indexing is Paused Internal Grace Period?

Getting data into Splunk from Nagios-LS

How to configure the forwarding of Microsoft Windows Print Server logs?

Regarding Windows Print Monitoring, what do each of the "operation" field values mean, i.e., add, set, baseline?

Why are events with equal timestamps merged into one event?

How to remove logs from specific sourcetype being indexed?

Can a Heavy-Forwarder just raw forward and not parsing?

How to send aws eventbridge events to a specific index on splunk cloud

Does the data flow through those same queues at the indexer?

Why does UF still require clientCert when requireClientCert is already disable in indexer?

How to forward an index to another Splunk instance (n00b)?

How to add multiple _meta from one field?

Upgraded Indexer shuts down pipeline and has to be restarted?

How to blacklist server from heavy forwarder?

inputs.conf blacklist format- Is there a format that needs to be adhered to when using a blacklist with regex?

Telegraf - How to solve this HEC SSL Issue?

Can a Heavy Forwarder send cooked but unparsed data?

Recommended settings for HEC batch?

Splunk ITSI & Correlated Network Visibility

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Index time field extraction problem with space

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions