Getting Data In

Discussions

Thread Info

How do I use props.conf and or transforms.conf to parse log file?

I would like to use props.conf and/or transforms.conf to parse data coming from a generic single line log file usi...

by Contributor in

Create Table Based on Findings?

We have AV logs that send the detection and the block separately. I'm trying to create a query where I can take each ...

by New Member in

Windows xml and non-xml format difference- Am I getting duplicate raw event?

Hello, i'm currently ingesting XML and non-xml windows event logs, i wanna know the impact if i disable the ren...

by Engager in

Regex help to mask data

I have to ingest some data so i've created a field called customer data and the regex works fine - ^[0-9]{16}.{249}(?...

by Communicator in

How to onboard AIX wtmp logs to splunk?

We would like to know how to onboard an AIX wtmp logs to splunk ?Can it be done via Universal Forwarder ? If so can y...

by Observer in

Why is event time different from server time?

Hi all, we have migrated HF where DB connect app was installed and now events from DB app on new HF have different...

by Loves-to-Learn Lots in

How can I keep Syslog from reading and storing data?

In syslog ng I didn’t want to read the data and store the data , how do you do that?

by Loves-to-Learn in

How to Parse and Tag custom application logs before forwarding to Splunk server?

Dear Splunkers, really sorry for my question , I do feel that reply would be on another thread(couldn't find it), ...

by Engager in

Trouble extracting multivalue fields- How do I separate these fields into their own events?

Hi all - I am having trouble pulling out mv fields into separate events. My data looks like this: I'd like to ...

by Communicator in

How to merge 2 json objects?

Hello, I have an existing json object and I'd like to merge another json object into it. I don't want to combine them...

by Explorer in

How to extract xml value having multiple same child tag?

I have following sample XML event where I want to extract specific value for a child tag . Ex when <Order fact> val...

by Loves-to-Learn in

Why is our new cloned server reflecting an old hostname?

We have a server that was cloned to that have a different hostname. The old server was shutdown and the team is now u...

by Communicator in

What search can list the Empty indexes which are not sending data to splunk enterprise?

Hi team, I am from admin team i wanted to how many of indexes are empty and are not having data anymore in it so t...

by Path Finder in

How to use collectd on a remote host with Universal Forwarder?

Hello, My goals is to send rrd file data to a splunk indexer. I have a remote host that currently forwards linu...

by Contributor in

Is it possible to have scheduled saved search using summary indexing and dynamic token depending on user query?

Hello,one user wants to convert dashboard with token to summary indexing dashboard.We are using | sistats or similar,...

by Motivator in

How to change date format multiple time

Hello, I'm trying to change my date format two times because i want to sort to order my month from January to Decem...

by Explorer in

Possible to rewrite the sourcetype twice?

Hi, I am trying to get the Splunk_TA_esxilogs app to work in our Splunk Enviroment, but cant get it working togethe...

by Path Finder in

Why have Indexes stopped logging query/alert?

Hi - I am trying to run the below query to help create an alert that will show when we haven't had an alert for a par...

by Observer in

IIS logs ingestion- Why is it showing 'invalid directory'?

Hello All, It is with reference to the Logs ingestion of IIS server. I have universal forwarder installed on the ...

by Explorer in

IIS Logs-Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs?

Hi, I am trying to setup iis logs forwarded to splunk enterprise. I am a bit confused as new to splunk but i have ...

by Engager in

if no events

when i was learning splunk i encountered following question: analyze following SPL query* | outputlookup my dummy...

by Loves-to-Learn in

Many small files - high memory usage Splunk Forwarder- Is there a way to reduce?

Is there a way to reduce memory usage for splunk Forwarder? I have two directories with 57k files each (120Mb each) a...

by Explorer in

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebased...

by Splunk Employee in

Why is inputs.conf not indexing /var/log/messages?

Hello, I have a odd issue which seems to have been resolved but I would like to know the root cause of this issue....

by Explorer in

Why am I unable to see Logs first week of every month?

Hello All I got a requirement to Upload Logs to Splunk Out of 5 Hosts 3 are Linux and other 2 are windows Th...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How do I use props.conf and or transforms.conf to parse log file?

Create Table Based on Findings?

Windows xml and non-xml format difference- Am I getting duplicate raw event?

Regex help to mask data

How to onboard AIX wtmp logs to splunk?

Why is event time different from server time?

How can I keep Syslog from reading and storing data?

How to Parse and Tag custom application logs before forwarding to Splunk server?

Trouble extracting multivalue fields- How do I separate these fields into their own events?

How to merge 2 json objects?

How to extract xml value having multiple same child tag?

Why is our new cloned server reflecting an old hostname?

What search can list the Empty indexes which are not sending data to splunk enterprise?

How to use collectd on a remote host with Universal Forwarder?

Is it possible to have scheduled saved search using summary indexing and dynamic token depending on user query?

How to change date format multiple time

Possible to rewrite the sourcetype twice?

Why have Indexes stopped logging query/alert?

IIS logs ingestion- Why is it showing 'invalid directory'?

IIS Logs-Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs?

if no events

Many small files - high memory usage Splunk Forwarder- Is there a way to reduce?

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Why is inputs.conf not indexing /var/log/messages?

Why am I unable to see Logs first week of every month?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions