Getting Data In

Discussions

Thread Info

What is causing Constant time diff of 12 hrs (_indextime - _time)?

Hi, There is constant time diff (_indextime - _time) from few windows server as below, not sure what causing ...

by Path Finder in

How to search for new files put in to folders

Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me w...

by Explorer in

Help Breaking JSON into multiple events using props.conf

Hey everyone. Need some help breaking a json event that is ingested in the current nested json format: [ { "t...

by Explorer in

Ingesting data from Salesforce with HEC

Hi Team, Is it possible to onboard the salesforce data using the HEC methodology? Thanks, Dibeena

by Explorer in

Where can I adjust the settings for universal forwarder data input speed?

Get data from Universal Forwarder, but 100MB data takes an hour Do you have any settings to speed up?

by Path Finder in

How to configuring Splunk to not truncate scripted input running on the universal forwarder?

I've got a scripted input running on a universal forwarder that generates json output to the tune of 18,000+ lines. ...

by Path Finder in

Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders?

hi all I am running on a windows heavy forwarder on Splunk Enterprise 8.1.7.2 and I listen to ports tcp 9514 and u...

by Loves-to-Learn Everything in

Splunk Could Not Get Description for Event

I've seen this on some older posts, but I am currently battling this issue. For some hosts, restarting it makes the l...

by Path Finder in

Can the Universal Forwarder process core-dumps?

Sometimes our application dumps core (duh!), and we'd like the output of gdb -ex "bt full" -ex quit corefile to be fo...

by Path Finder in

Wrong JSON value extracted by query

I am running following query where in the last I would like to fetch value of "Client" key from json and count all s...

by Path Finder in

Creating a sourcetype keeps failing

I have a sourcetype that I have been trying to break my logs apart, but I keep getting: Failed to parse timestamp: ...

by Communicator in

How to route to an Index based on SourceType AND Host combination in inputs.conf?

I have a setup as Universal Forwarder (UF) - Heavy Forwarder (HF) - Indexer - Search Head (SH). Where multiple UF ar...

by Explorer in

How to restrict UF to not to collect logs older than X Days

Hi SMEs, I need to configure UF to restrict not to collect logs older than X Days. Is it feasible than how? A...

by Path Finder in

Why is Input not working?

Hey Guys.I have a input that is refusing to work.The input that doesnt work is this fortigate one: This one on...

by Communicator in

How to set at the same time in transforms.conf a new index and set a new metadata based on the host name?

Hi, I need to set at the same time in transforms.conf a new index and set a new metadata based on the host name. ...

by Engager in

Handling intermediary forwarders that are deployed as code

Hi all, new to splunk, we are regularly burning down our heavy forwarders and as such the IPs change regularly. I nee...

by Explorer in

How to create a dashboard studio chain search with dropdown token?

Background I would like to create a dashboard with dropdowns that allow underlying queries to create chart to filter ...

by Loves-to-Learn in

Indexing same file: crcSalt = <SOURCE> not working as expected

Hello everybody, I need to ingest into Splunk a CSV file containing an inventory of mobile devices. The HF that mon...

by Path Finder in

Why is windows log going to the wrong sourcetype?

Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Securit...

by Explorer in

How do I add a new role via REST API?

Hi, How could I add a new role via REST API ? When I try to send the following HTTP POST via Postman: URL: ...

by Explorer in

Why are JSON Wrapped Windows Logs not being read as JSON by "Add Data"?

Hey, I'm very experienced using Splunk as an analyst, but not at all experienced on the admin side of things, but am ...

by Engager in

How to get JSON response from Splunk web query?

I need to get the JSON response for a Splunk API call for a data model. Is there a way to retrieve this information v...

by Communicator in

Missing "Message" field

We are moving away from using Windows Event Collection to installing the Universal Forwarder on as many Windows machi...

by Explorer in

How to write in props.conf so that the _time field takes time from the unixTime field?

Hello colleagues, I would like to know I have events where there is a unixTime field. But the _time field does not...

by Communicator in

Need help parsing and extracting MongoDB JSON log in Splunk

Hi, I need some help. We have been using Splunk for MongoDB alert for a while, now the new MongoDB version we are...

by Observer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

What is causing Constant time diff of 12 hrs (_indextime - _time)?

How to search for new files put in to folders

Help Breaking JSON into multiple events using props.conf

Ingesting data from Salesforce with HEC

Where can I adjust the settings for universal forwarder data input speed?

How to configuring Splunk to not truncate scripted input running on the universal forwarder?

Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders?

Splunk Could Not Get Description for Event

Can the Universal Forwarder process core-dumps?

Wrong JSON value extracted by query

Creating a sourcetype keeps failing

How to route to an Index based on SourceType AND Host combination in inputs.conf?

How to restrict UF to not to collect logs older than X Days

Why is Input not working?

How to set at the same time in transforms.conf a new index and set a new metadata based on the host name?

Handling intermediary forwarders that are deployed as code

How to create a dashboard studio chain search with dropdown token?

Indexing same file: crcSalt = <SOURCE> not working as expected

Why is windows log going to the wrong sourcetype?

How do I add a new role via REST API?

Why are JSON Wrapped Windows Logs not being read as JSON by "Add Data"?

How to get JSON response from Splunk web query?

Missing "Message" field

How to write in props.conf so that the _time field takes time from the unixTime field?

Need help parsing and extracting MongoDB JSON log in Splunk

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions