Getting Data In

Thread Info

Location of props.conf and transforms.conf in a distributed setup

Hi Guys.I have a distributed setup consisting of 1 search head, 1 deployment/license server, 1 indexer.And a whole bu...

by Communicator in

What are some best practices for Splunk universal forwarder?

My Splunk Forwarder inputs.conf looks like this: [batch://C:\Splunk\MyApi\Local\Api\*.json]index = myapi_localmove...

by Explorer in

How to split single sourcetype in multiple ones based on json field value?

Hi all, recently my customer asked me to integrate different JSON log sources (VPN concentrator, WAF and Load Bala...

by Communicator in

Would a Python Virtual Environment be compatible with Splunkbase and Splunk Cloud?

Trying to develop an app that has a the 'cryptography' library as a dependancy. The built in Splunk Python interprete...

by Observer in

Getting Splunk to correctly read custom AWS VPC flow logs

Hello All,I recently started ingesting vac flow logs from my AWS environment using the data manager app, and everythi...

by Path Finder in

What is the query to setup a report to log all activity from a user?

What is the query to setup a report to log all activity from a user? Basically anytime they access the VPN and log in...

by Loves-to-Learn Lots in

How to determine the Operating system language?

Hi Team, Is there any way to determine the Operating system language before we ingest the logs in Splunk? After i...

by Loves-to-Learn in

How to restore logs from frozen bucket?

Hi - in frozen\index\colddb, I have the following files (db_ and rb_) [splunk@spkpnxl1 wineventlog]$ cd colddb [splun...

by Contributor in

Why am I getting "Error in JSON response: Unexpected EOF" while attempting to deploy shcluster-bundle?

We recently upgraded our test environment from 6.4.2 to 6.5.2 and upon attempting to deploy a new search head cluster...

by SplunkTrust in

Dashboard Studio - Screens to CRUD KV store records- What is everyone else using?

Does anyone feel like we are going to be able to create modern dashboards which allow us to interact with kvstore dat...

by Path Finder in

Need help with splunk SPL or REST API

Need help with splunk SPL or rest api to fetch areport where we can see the count of total servers(splunk universal f...

by Explorer in

Why can't I see the indexes I created in search results?

hi pls am having problem viewing the indexes i created in my clustered environment. They were all created on the clus...

by Path Finder in

How to send specific logs to a sourcetype?

Hello All, I have query index=xxxx sourcetype=xxx_* NOT(ASA) which actually filters logs that are not ASA fro...

by Path Finder in

How to change value of an attribute using condition before indexing?

Hi, I want to index simple xml file. <?xml version="1.0" encoding="utf-8"?><unitData xmlns:xsi="http://www.w3.org/...

by Contributor in

Can I click on dashboard to view events in another panel in same dashboard?

I tried to view the events in detail on another panel .so, I tried putting in the token Its not showing the clicked e...

by Explorer in

Why is SEDCMD in props.conf to remove part of header line not working?

I am forwarding F5 logs from a syslog server, but I have an additional timestamp and host IP (log below with strike-t...

by Path Finder in

Indexer cluster: "Oldest Data Age" extremely high for some indexes

Hello, We have noticed that in Monitoring Console-> Indexing-> Indexes and Volumes -> Indexes and Volumes: Deployme...

by Path Finder in

How to list all the KV stores /collections via SPL Splunk Search?

I want to list all the Kv store collections through SPL. something like below... | rest /servicesNS/-/- ....... u...

by Contributor in

How to configure the SHC members and the deployer?

Hello Are you okay?Can you help me, I'm trying to configure the Deployer to send the Apps to the SH's but I'm getting...

by Engager in

Unable to upgrade HF server from 8.2 to 9.01 using rpm command

[user]$ sudo rpm -U --prefix=/opt/splunk splunk-9.0.1-82c987350fde-linux-2.6-x86_64.rpmerror: splunk-9.0.1-82c987350f...

by Engager in

What are Wineventlog overload/limiting best practices?

We've got Splunk_TA_Windows installed on a number of our servers sending data to our Splunk Cloud instance. However, ...

by Explorer in

Detection of duplicate files in batch mode

Dear all, I have the use case that my splunk universal forwarder does not continuously monitor my logs. Because o...

by Path Finder in

Has anyone done anything with Azure scale sets?

Hi, Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to de...

by Path Finder in

Why are we not getting all the details in Azure sign-in logs using Microsoft Azure Add-on for Splunk after upgrade?

Post upgrading Microsoft Azure Add on for Splunk to 3.2.0 we are not receiving authentication details in Splunk. Also...

by Engager in

Why is SED command not working on Splunk Cloud?

Hi I am sending windows system and security data to splunk cloud. Data is collected using UF and forwarded to clou...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Location of props.conf and transforms.conf in a distributed setup

What are some best practices for Splunk universal forwarder?

How to split single sourcetype in multiple ones based on json field value?

Would a Python Virtual Environment be compatible with Splunkbase and Splunk Cloud?

Getting Splunk to correctly read custom AWS VPC flow logs

What is the query to setup a report to log all activity from a user?

How to determine the Operating system language?

How to restore logs from frozen bucket?

Why am I getting "Error in JSON response: Unexpected EOF" while attempting to deploy shcluster-bundle?

Dashboard Studio - Screens to CRUD KV store records- What is everyone else using?

Need help with splunk SPL or REST API

Why can't I see the indexes I created in search results?

How to send specific logs to a sourcetype?

How to change value of an attribute using condition before indexing?

Can I click on dashboard to view events in another panel in same dashboard?

Why is SEDCMD in props.conf to remove part of header line not working?

Indexer cluster: "Oldest Data Age" extremely high for some indexes

How to list all the KV stores /collections via SPL Splunk Search?

How to configure the SHC members and the deployer?

Unable to upgrade HF server from 8.2 to 9.01 using rpm command

What are Wineventlog overload/limiting best practices?

Detection of duplicate files in batch mode

Has anyone done anything with Azure scale sets?

Why are we not getting all the details in Azure sign-in logs using Microsoft Azure Add-on for Splunk after upgrade?

Why is SED command not working on Splunk Cloud?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions