Getting Data In

Discussions

Thread Info

Missing "Message" field

We are moving away from using Windows Event Collection to installing the Universal Forwarder on as many Windows machi...

by Explorer in

How to write in props.conf so that the _time field takes time from the unixTime field?

Hello colleagues, I would like to know I have events where there is a unixTime field. But the _time field does not...

by Communicator in

Need help parsing and extracting MongoDB JSON log in Splunk

Hi, I need some help. We have been using Splunk for MongoDB alert for a while, now the new MongoDB version we are...

by Observer in

Data Onboarding issue- unable to see the data in splunk

Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monito...

by Path Finder in

Why is indexes.conf change not reflected in GUI without restart?

I use Splunk Enterprise 8.0.4.1 In indexes.conf I have changed maxTotalDataSizeMB value. According to https://d...

by Path Finder in

Help with props.conf to detect timestamp

Hello Splunkers, I have the following raw event.It was parsing with correct date and time until the daylight ...

by Communicator in

How to monitor path in RHEL 8 but not RHEL 7?

Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granu...

by Path Finder in

Error: WinRegistryMonitor::configure: Failed to get configuration settings: 'Regex: number too big in {} quantifier'

I found many errors from _internal log ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-...

by Explorer in

Why are none of the Perfmon inputs are sending Data Into Metrics Index and not showing errors?

Hello, We're running into an issue with a UF sending data to a new metrics index under an app deployed by our depl...

by Explorer in

Why is splunk not forwarding on windows?

Hello community Trying to figure out what is blocking/affecting UF on Windows Agent was installed using CLI ...

by Builder in

Cisco Firepower Estreamer Questions

Hello, We want to onboard Cisco firepower devices and we can't decide between estreamer and syslog input. I wou...

by Observer in

Why is some data source indexed one hour in the future?

Hi, Some data source is indexed one hour in the future (probably since TZ shift => twice a year hour change in Fra...

by Communicator in

Splunk cannot find my file

Hi, I have problem here, i already complete file transferring to Splunk server using cronjob. But unfortunately, all ...

by Engager in

Insecure Cipher Suites on Splunk Indexer and Deployment Server

We have got below vulnerabilities on Splunk servers, please help how to resolve it insecure cipher suites:* TLS 1.2...

by Explorer in

What is the hot bucket max time?

Hi All I'm very new to Splunk can someone help me after how many days the data will transfer from hot bucket to wa...

by Path Finder in

How to Send XML file logs to Splunk with this splunk-connect-for-kubernetes?

Splunk connect for-kubernetes and I have been tryingto forward the XML file logs to splunk w...

by Loves-to-Learn in

How to see the logs of the second forwarders logs? (Using two forwarders and one indexer)

Hello there, I am working on VMware, I have two linux machines that I'm using as universal forwarders (ubuntu desk...

by Path Finder in

Why is cmd script not running?

hi all, i try to run a cmd script on a UF. it's located in %SPLUNK_HOME%\etc\apps\log4jscan\bin\log4jscan.cmd and...

by Path Finder in

Why is Splunkd not starting after a reboot, wih Systemd enable-boot start?

We setup splunkd to autostart using systemd.-> https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkass...

by Splunk Employee in

Splunk indexer service: Why error "RHEL 7.1 systemd[1]: Failed to start SYSV: Splunk indexer service"?

My Splunk indexer is not starting as a service on RHEL 7.1 on a fresh install.It's starting ok as splunk user though....

by Explorer in

How to parse out asterisk delimited format?

Hi! I'm having a struggle trying to get Splunk to recognize a file that's in Asterisk Delimited Format. I have the pr...

by Communicator in

Why has source stopped indexing?

hi, I have 2 source A and B (routers), they are sending the data over udp port 514. all of the sudden, the sour...

by Engager in

Enqueuing a very large file on HF

Hi All, My setup is firewall are sending logs to Syslog server and heavy forwarder installed on syslog server itse...

by Path Finder in

AWS Aurora Logs sending double-zipped to Splunk via AWS Add-on

We're running into an issue using Add-On for AWS + SQS-based S3 inputs to pull Aurora logs from S3 buckets. The .gz d...

by Communicator in

How to avoid wrong timestamp with MAX_TIMESTAMP_LOOKAHEAD

Hello, I have logs from Cisco ESA (emails) and some of them are logged in the futur. For example this log is marke...

by Contributor in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Missing "Message" field

How to write in props.conf so that the _time field takes time from the unixTime field?

Need help parsing and extracting MongoDB JSON log in Splunk

Data Onboarding issue- unable to see the data in splunk

Why is indexes.conf change not reflected in GUI without restart?

Help with props.conf to detect timestamp

How to monitor path in RHEL 8 but not RHEL 7?

Error: WinRegistryMonitor::configure: Failed to get configuration settings: 'Regex: number too big in {} quantifier'

Why are none of the Perfmon inputs are sending Data Into Metrics Index and not showing errors?

Why is splunk not forwarding on windows?

Cisco Firepower Estreamer Questions

Why is some data source indexed one hour in the future?

Splunk cannot find my file

Insecure Cipher Suites on Splunk Indexer and Deployment Server

What is the hot bucket max time?

How to Send XML file logs to Splunk with this splunk-connect-for-kubernetes?

How to see the logs of the second forwarders logs? (Using two forwarders and one indexer)

Why is cmd script not running?

Why is Splunkd not starting after a reboot, wih Systemd enable-boot start?

Splunk indexer service: Why error "RHEL 7.1 systemd[1]: Failed to start SYSV: Splunk indexer service"?

How to parse out asterisk delimited format?

Why has source stopped indexing?

Enqueuing a very large file on HF

AWS Aurora Logs sending double-zipped to Splunk via AWS Add-on

How to avoid wrong timestamp with MAX_TIMESTAMP_LOOKAHEAD

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025

Getting Data In

Are you a member of the Splunk Community?

Discussions