Getting Data In

Discussions

Thread Info

What is the maximum size of the csv.gz file that can be generated in Splunk and sent to an external server by SCP?

We're sending CSV files from Splunk to an external server. The files are compressed (.gz format). What is the max...

by New Member in

how to sum the machine OS in a JSON file

Hi Guys, I have a JSON file for OS type in some cluster like below: { "clusterA": ubuntu, "clusterA": ubuntu, "...

by Explorer in

Why does installing a forwarder using msiexec keeps failing?

We are installing a forwarder to new workstations using the command below; *msiexec /i "splunkforwarder-7.0.0-c8a7...

by Splunk Employee in

How to check how many hosts are connecting (sending logs) to Splunk Forwarder

Hi Guys, We have a remote site with a Splunk forwarder installed. How to check how many hosts are connecting (send...

by Explorer in

Perfmon sending logs to the wrong indexer

I have a single instance deployment. I have a server that is sending Perfmon logs to my main index but I never told i...

by Communicator in

syslog server set-up

Hi, As a temporary measure (for 3 months), we have been asked to set-up one of the splunk server (HF) to work as s...

by Explorer in

How do I exclude certain emails from being indexed?

We have recently turned on journaling within MS Exchange which basically sends a copy of every item to a journaling m...

by Path Finder in

Where does config file goes for Automatic lookups

Hi , I want to delete few Automatic lookups from server as it doesnt give me option of deleting it from GUI. Even tho...

by Path Finder in

Data disappearing and getting error when selecting sourcetype: "No results found...".

I have sourcetype X in Splunk prod and dev. When trying to copy data from prod and ingesting it manually in dev, and ...

by Explorer in

Configuration file precedence on universal forwarder and indexer

Hi all, We set sourcetype in inputs.conf on universal forwarder, e.g. [monitor:///Firewall/*/*_pa_firewall.log...

by Communicator in

Multiple timestamp fields with same field name

I have some json data events that has multiple "date" fields. The date field I am looking to use as my timestamp come...

by Path Finder in

Splunk not ingesting some log files

I have set splunk to ingest the /var/log directory. On this particular host, I go to filter by "source", and only see...

by New Member in

Can I use the same Splunk Cloud heavy forwarder to send data to on-premises Splunk?

I have a heavy forwarder currently sending data to Splunk Cloud. Can I use the same heavy forwarder to stop data s...

by Path Finder in

Blacklist Windows security event log with system account

I am trying to filter out noise before it is sent to the indexer. We were using Windows Event Forwarding previously, ...

by Explorer in

Strip lines from Logs before Indexing in Splunk Cloud

Hi, I have an Apache instance with Splunk Forwarder installed that sends logs to Splunk Cloud directly (no heavy f...

by New Member in

Events from same file getting separate timestamps

I have json files that have multiple events per file. However when I ingest the data, Splunk parses some of the times...

by Path Finder in

Enable Summary Index Search from REST API

Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that woul...

by Communicator in

Parsing and Displaying a JSON String

I have a JSON string as an event in Splunk below: {"Item1":{"Max":100,"Remaining":80},"Item2":{"Max":409,"Remainin...

by Explorer in

Grouping hosts for serverclass.conf

Hi all, I have a general question on saving some space and grouping hosts in serverclass.conf. I have reviewed Thi...

by Path Finder in

How to skip reading CVS heard from server where Splunk Universal Forwarder is installed

Hi, On server with Splunk Universal Forwarder installed we are monitoring cvs log with a header and lines in the f...

by Builder in

Splunk Cloud timestamp

When running a search for syslogs within 7 days, Splunk is retuning some logs that are months old. Timestamp is corre...

by New Member in

spath for the JSON

How can we use spath for below JSON to evaluate if for ConcurrentAsyncGetReportInstances , Remaining/Max*100 is >= 70...

by New Member in

HTTP Event collector - call not properly authenticated

Have tried to setup HTTPEventCollector via cli using splunk documentation link: https://docs.splunk.com/Documentation...

by Communicator in

Distinct delimiters for same input

I have a dashboard that takes 3 inputs. (TimePicker, Associate, and Activity). All items (inputs and dash panels) ...

by Explorer in

New field add to existing capture -- time check needed?

I have an application feeding to Splunk for the better part of a couple years now. Last December we change formats an...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

What is the maximum size of the csv.gz file that can be generated in Splunk and sent to an external server by SCP?

how to sum the machine OS in a JSON file

Why does installing a forwarder using msiexec keeps failing?

How to check how many hosts are connecting (sending logs) to Splunk Forwarder

Perfmon sending logs to the wrong indexer

syslog server set-up

How do I exclude certain emails from being indexed?

Where does config file goes for Automatic lookups

Data disappearing and getting error when selecting sourcetype: "No results found...".

Configuration file precedence on universal forwarder and indexer

Multiple timestamp fields with same field name

Splunk not ingesting some log files

Can I use the same Splunk Cloud heavy forwarder to send data to on-premises Splunk?

Blacklist Windows security event log with system account

Strip lines from Logs before Indexing in Splunk Cloud

Events from same file getting separate timestamps

Enable Summary Index Search from REST API

Parsing and Displaying a JSON String

Grouping hosts for serverclass.conf

How to skip reading CVS heard from server where Splunk Universal Forwarder is installed

Splunk Cloud timestamp

spath for the JSON

HTTP Event collector - call not properly authenticated

Distinct delimiters for same input

New field add to existing capture -- time check needed?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?

CSAM Reports - 500 ERROR

JSON Data extraction issues with Comma