Getting Data In

Discussions

Thread Info

Replacing backslash not working in SEDCMD after re-directing through transforms.conf and applying it in props.conf.

Hi, I am trying to escape backslash character from json data. It works when I apply SEDCMD definations in props.co...

by Engager in

Splunk UF Deployment - Possible Issues

Hello. We are planning on deploying UFs across our enterprise ~ 3000 systems. Currently, we have deployed UFs to 50 s...

by Explorer in

Lots of log files, how can I reduce forwarder memory usage?

The forwarder is using 4.3 GB memory. I think that is insane. OS: Windows 2008 R2 Splunk 4.2.3 The folder I am mon...

by Path Finder in

_indextime is 5 hrs ahead of event time (_time)

Hi, We have Splunk Enterprise 7.2.6 in our environment. I noticed there are latencies (difference between _time an...

by Explorer in

Active Directory - Admon limits approx 1000 assets

Hi splunkers ! I ve just configured active directory monitoring based on Splunk 7.3 Active Directory inputs. The A...

by Communicator in

Index gzipped files without .gz extension

Hi, I am trying to index gzipped files that do not have the .gz extension on a window universal forwarder. Fir...

by Motivator in

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

Hi, I have the following log format, How can I break this multiline event, with the condition if the date is changed ...

by Path Finder in

Do Universal Forwarders need a license master?

When I restart the Splunk Universal forwarder, the following warnings get logged (to the _internal index): 07-07-2...

by Communicator in

How to transform multiple timestamps in an event

I have an event that prints the actual time which Splunk metadata has, but instead, I want to use the other timestamp...

by New Member in

How do i convert a Json Multi key value pair to multi line chart

Hi I have X number of "totalHitCount" in a JSON file (mtr.gauges.caching_metrics.nodes{}.totalHitCount). Within mu...

by Motivator in

Splunk_TA_Windows Winregistry Sourcetype missing?

All, Just working with Splunk_TA_Windows today and noticed that there is no specified sourcetype in inputs.conf a...

by Builder in

Splunk DBConnect and retention

Hi All, I am wondering how does the retention works when I am ingesting data which is older than the actual reten...

by Explorer in

Logging to Job Inspector from Custom Search Command

Hi folks. I have a custom search command and I am using self.logger to log messages from the command. Please see my l...

by Engager in

What is best practices for forwarders and an index cluster?

Good morning all, I am building a lab environment at AWS and I would like to know which one is the best approach f...

by New Member in

Master Class

I got to manage some indexers, I seek this can be done by master class server. How do i configure it?

by Explorer in

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

Hi All - Just discovered Splunk, and I must say it's an amazing tool. I've configured a router to send syslog m...

by Engager in

Problem with removing spaces using sed - with <> characters present

<Update> <data> <user> <dialogs>/finesse/api/User/72741/Dialogs</dialogs> <extension></extension> <firstName>Bert</fi...

by New Member in

remove source

I added a CSV file (sample1.csv) through "Upload files from my computer" (My host is DESKTOP-7FST5G). I did different...

by New Member in

how to define which heavy forwarder instances to deploy apps?

Hello - I have 3 HFs and about 150 UFs and 1 deployment server and other instances. In a new configuration, how can I...

by Contributor in

About deployment-apps

Hi, all. I have a cluster environment. (1 search head, 2 indexer) I want to change the character code of the data....

by Path Finder in

Getting Data In

Discussions

Replacing backslash not working in SEDCMD after re-directing through transforms.conf and applying it in props.conf.

Splunk UF Deployment - Possible Issues

Lots of log files, how can I reduce forwarder memory usage?

_indextime is 5 hrs ahead of event time (_time)

Active Directory - Admon limits approx 1000 assets

Index gzipped files without .gz extension

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

Do Universal Forwarders need a license master?

How to transform multiple timestamps in an event

How do i convert a Json Multi key value pair to multi line chart

Splunk_TA_Windows Winregistry Sourcetype missing?

Splunk DBConnect and retention

Logging to Job Inspector from Custom Search Command

What is best practices for forwarders and an index cluster?

Master Class

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

Problem with removing spaces using sed - with <> characters present

remove source

how to define which heavy forwarder instances to deploy apps?

About deployment-apps

How to create Alerts for: Data Ingestion exceeding...

f5 Silverline ASM

Index Field Transform not Catching Every Event

splunk-connect-for-kubernetes breaking on every ne...

Need an idea how to reduce Symantec Web Security S...