Getting Data In

Discussions

Thread Info

Props and the Magic 8

with respect to the Magic 8 should you always try to include them in the props of your various source types for a dat...

by Explorer in

Syslog messages ingestion

Hello Team, I have forwarded syslogs to Splunk Enterprise, I am trying to find a way to create props.conf and trans...

by Engager in

Possible lineabreaker issue with lastlog in Splunk_TA_nix

Hi all After installing Splunk_TA_nix with no local/inputs on heavy forwarders the error I was seeing in this post ...

by Contributor in

How to Identify which HF is sending logs/metrics

Hi, I have incoming data from 2 Heavy Forwarders. Both of forward HEC data and the internal logs, how do I identi...

by Communicator in

How To Create HEC Http_Input in Indexer Cluster Envirmment

Hello, I want to create Input: HEC on the indexers => Indexer Cluster. Create inputs.conf under /opt/...

by Path Finder in

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes for syslogs

Hi, I am trying to inboard a new Syslog coming from a Syslog ng server but data is not indexing. Getting the bel...

by Explorer in

Infoblox timezone not changing

We are collecting logs from Infoblox and forwarding from the product into Splunk which is working as expected, howeve...

by Explorer in

RegEx data after curly brackets

I'm trying to regex the field that has "REPLY"CommonEndpointLoggingAspect {requestId=94f2a697-3c0d-4835-b96a-42be3d24...

by Observer in

TIMESTAMP_FIELDS vs INDEXED_EXTRACTIONS vs KV_MODE

Context is structured sourcetypes such as JSON. First, Does use of TIMESTAMP_FIELDS require INDEXED_EXTRACTIONS? (Th...

by SplunkTrust in

event line break in props

---------------------------- This is an Example (He/She) ----------------------------- Version: 21.04.812-174001 Date...

by Explorer in

Rsyslog configuration with Splunk

Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and ou...

by Communicator in

TCP-SSL on heavy forwarder (Checkpoint)

Hello, could you tell me how to properly have dedicated server certificate for specific tcp-ssl in inputs.conf (Che...

by Motivator in

How do I configure Universal Forwarder to not send INFO Metrics over TCP?

My ouputs conf looks like this: [tcpout] defaultgroup = logstash disabled = false forwardedindex.0.whitelist = .*...

by Explorer in

SentinelOne Applications Channel No Longer Populating Events

We've been collecting data with the inputs add-on ( Input Add On for SentinelOne App For Splunk) for several years...

by Explorer in

Custom datetime.xml for x12 format

Trying to get datetime.xml configured to recognize a timestamp in x12 file format with no success... Here are the ...

by Path Finder in

How to Assign Values for _time at Index Time for Future Searching?

I have a CSV file that I would like to index one time only. There are two fields (Date, Time) that I want to be able ...

by Builder in

forwarder manager stopped after upgrade from 9.1 to 9.2.0.1

Linux, RHEL 8.9. Splunk 9.2.0.1 Had a forwarder manager running (for years) with 2,00...

by Communicator in

TA-pps_ondemand Error: KV Store is disabled

In Splunk Cloud for one of my client environment, I'm seeing below message. TA-pps_ondemand Error: KV Store is disa...

by Explorer in

Data filtering location

Hello, let me explain my architecture. Multi site cluster (3 site cluster)... 2 indexers, 1 SH, 2 syslog servers ...

by Communicator in

Getting Print Spooler Logs into Splunk

We need to get Windows Print Spooler logs into splunk but not sure where to start. The specific event codes are gener...

by New Member in

Splunk Add-on Builder: Global Account settings

Hi, Is it possible when using Global Account to customise the fields? i.e. add other fields than only Username and ...

by Path Finder in

How can I use wildcards (*) for the source stanza in props.conf?

Hi, In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in /opt/s...

by New Member in

Ingested time for csv file on windows

background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splun...

by Loves-to-Learn Lots in

Issues with HTTP Status for HEC token

Hey, I am facing following issues when sending data using HEC token. Connection has been established with no issue ...

by Motivator in

Trying to get eval to push multiple values to one field

Currently trying to get eval to give multiple returns | eval mitre_category="persistence,Defense_Evasio...

by Engager in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Props and the Magic 8

Syslog messages ingestion

Possible lineabreaker issue with lastlog in Splunk_TA_nix

How to Identify which HF is sending logs/metrics

How To Create HEC Http_Input in Indexer Cluster Envirmment

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes for syslogs

Infoblox timezone not changing

RegEx data after curly brackets

TIMESTAMP_FIELDS vs INDEXED_EXTRACTIONS vs KV_MODE

event line break in props

Rsyslog configuration with Splunk

TCP-SSL on heavy forwarder (Checkpoint)

How do I configure Universal Forwarder to not send INFO Metrics over TCP?

SentinelOne Applications Channel No Longer Populating Events

Custom datetime.xml for x12 format

How to Assign Values for _time at Index Time for Future Searching?

forwarder manager stopped after upgrade from 9.1 to 9.2.0.1

TA-pps_ondemand Error: KV Store is disabled

Data filtering location

Getting Print Spooler Logs into Splunk

Splunk Add-on Builder: Global Account settings

How can I use wildcards (*) for the source stanza in props.conf?

Ingested time for csv file on windows

Issues with HTTP Status for HEC token

Trying to get eval to push multiple values to one field

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions