Getting Data In

Thread Info

How to Re-index from CSV sourcetype

Hi all, I am facing strange behavior, for which I can't find anything in the docs. I have a source that gener...

by Path Finder in

How to forward logs via rsyslogd?

Hi, We are facing issue that we are unable to forward logs into Splunk via rsyslogd. They are forwarding as shown ...

by Path Finder in

RSS feeds ingest problems

Hello wonder if anyone got this app working for rss feeds?. https://splunkbase.splunk.com/app/2646/#/details ...

by Observer in

Why after enabling Move policy, data is still there?

Even after enabling move_policy=sinkhole, why is data still in there, verified that the path included in the monitor ...

by Engager in

How can I add new text file everyday?

Hello splunkies! I'm trying to be and admin and I'm doing an exercise but I cannot find the way to configure my inp...

by Explorer in

Experiencing duplicate indexing- How do I solve this problem?

I have a directory that is being monitored on a splunk heavy forwarder./app_monitoring The above directory will ...

by Path Finder in

How to determine ingestion sizing with a single instance deployment

Hello, I'm currently undergoing a sizing exercise to determine how large of a Splunk license I need, and was wonde...

by Explorer in

Does Splunk have a precedence for what logs to forwarder first?

If I had logs for the `_internal` index and logs for a `linux_os` index on a Heavy Forwarder, does the HF prioritize ...

by Explorer in

Why does the heavy forwarder forwarding to external syslog stops working after a few minutes?

Using HF to forward all events to Indexer and external syslog. When using syslog with tcp all processing basically st...

by Loves-to-Learn in

Is there a way to set all fields using eval in Props.conf

Props.conf [mysourcetype] EVAL-field1=trim(field1) Field1 must contain all fields for that source type. I...

by Path Finder in

Is it possible to manually roll specific buckets to frozen?

Hi, is it possible to roll specific buckets to frozen? I have some buckets which the customer wants to be deleted ...

by Explorer in

Unable to add splunk universal forwarder as a sidecar to a container in EKS

ERROR OBSERVED TASK [splunk_universal_forwarder : Setup global HEC] *************************** task path: /opt...

by Engager in

How to optimize view of a line chart in Splunk?

Hi Everyone, I'm working on a Splunk dashboard visualisation using a line chart, and I span the data for every 1week....

by Path Finder in

Why does universal forwarder stop sending data?

Hello!I have an environment with about 200 machines, all Windows Servers. All servers are sending TCP information thr...

by Explorer in

How to ingest MongoDB logs from new servers into splunk?

Hi All, We have a python code to ingest MongoDB logs into splunk and we are successfully ingesting logs from old s...

by Builder in

Is it possible to ingest ZAP(Zero-hour auto purge) logs into Splunk?

Hi All,We want to ingest ZAP(Zero-hour auto purge) logs into Splunk. We are using Splunk Add-on for Microsoft Offi...

by New Member in

How to calculate total_OPS?

Query: index=xxx source=Perfmon:LogicalDisk host=$h$ ( counter="Disk Reads/sec" OR counter="Disk Writes/sec" )...

by New Member in

Why is filtering IIS/Catalina sourcetype not working?

Hi , I am facing a weird issue - where on a Splunk indexer I am trying to filter out log events using props and tr...

by Loves-to-Learn Lots in

How to set Splunk Cloud HTTP-INPUT Truncating to 10000 Characters

Hi all,We are using Splunk Cloud, and I am using the https://http-inputs-mydomain.com/services/collector/raw to send ...

by Path Finder in

How to configure Defender ATP Add On Settings

Hi, Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/ Can anyone co...

by Observer in

Help with extracting the fields and related data from vmstat logs which are coming into Splunk

Hi All, Can you please help me to extract the fields and related data from vmstat logs which are coming into splun...

by Explorer in

Why after trying to show the source of an event, Splunk shows only "loading ..."?

Hello, If I try to show the source of an event, splunk shows only "loading ...".I took care, that the result is fi...

by Path Finder in

Why does eval search work but eval in the props conf file doesn't creating new field?

Hi, My environment has multiple apps. I got a requirement to default a value to a temp field. While my eval in the...

by Builder in

How to optimize Splunk forwarder consuming windows paging file?

Faced with the problem of consuming windows paging file by splunk universal forwarder. I didn't find a similar proble...

by Loves-to-Learn Lots in

How to search data usage by sourcetype

Hello everyone, I need query to find out sourcetype =gshshsh is using how much of data 1. From ...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to Re-index from CSV sourcetype

How to forward logs via rsyslogd?

RSS feeds ingest problems

Why after enabling Move policy, data is still there?

How can I add new text file everyday?

Experiencing duplicate indexing- How do I solve this problem?

How to determine ingestion sizing with a single instance deployment

Does Splunk have a precedence for what logs to forwarder first?

Why does the heavy forwarder forwarding to external syslog stops working after a few minutes?

Is there a way to set all fields using eval in Props.conf

Is it possible to manually roll specific buckets to frozen?

Unable to add splunk universal forwarder as a sidecar to a container in EKS

How to optimize view of a line chart in Splunk?

Why does universal forwarder stop sending data?

How to ingest MongoDB logs from new servers into splunk?

Is it possible to ingest ZAP(Zero-hour auto purge) logs into Splunk?

How to calculate total_OPS?

Why is filtering IIS/Catalina sourcetype not working?

How to set Splunk Cloud HTTP-INPUT Truncating to 10000 Characters

How to configure Defender ATP Add On Settings

Help with extracting the fields and related data from vmstat logs which are coming into Splunk

Why after trying to show the source of an event, Splunk shows only "loading ..."?

Why does eval search work but eval in the props conf file doesn't creating new field?

How to optimize Splunk forwarder consuming windows paging file?

How to search data usage by sourcetype

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions