Getting Data In

Discussions

Thread Info

Looking for examples for splitting syslog data to separate indexes and transforming sourcetype

I'm having a trouble splitting syslog data coming in over UDP:514 to their own index and transforming the respective ...

by Communicator in

How to reduce the hot volume size?

Hi, We are using volume partitions for the indexes.conf and the hot volume is getting full around 90% on the disk....

by Builder in

Extract timestamp from the logs

I've logs where events are not starting with time. Log format is 10.100.28.108 - - 2018-04-25--02-31-14 "PUT /mifs/c...

by Path Finder in

Splunk logging Driver Bringing Down the Entire Docker Swarm Cluster

Hello, We implemented collecting Docker logs using splunk logging driver, It pushes the docker logs very well and...

by Engager in

Should props.conf match inputs.conf?

Does the props.conf file of an indexer has the same contents as the inputs.conf file of the forwarder from which it i...

by Path Finder in

Script input troubleshoot

Hi, I am trying to index from my python script. I followed the steps in this page to setup my data: http://docs.splun...

by Contributor in

Find out the type of logs which are captured when it is using a script \bin\scripts\splunk-wmi.path ?

I installed SplunkForwarder and during the installation wizard, I checked all the logs for Windows (Application, Secu...

by Explorer in

How do I configure a UF on Linux to receive and forward windows events?

I need to configure a Linux based UF to receive Windows events and then forwarder those to the indexers. I am guessin...

by Path Finder in

After matching 2 different data sources based on srcip, why is the output none?

Hi, I try to match two events in one search. one event must match virus and the other android. because the clearpa...

by Engager in

Syslog from switch to indexer

Hello, we want to send syslog from cisco switches directly to the splunk indexer. So I made a NAT from UDP 514 to ...

by Path Finder in

I need a config to direct outputs to two different Splunk stacks?

All, I have a legacy install of Splunk and a new Splunk ES stack. Transition is going to take a year. So far I ju...

by Builder in

CSV file with last 2 fields XML payloads

Need help with the following CSV (everything I am trying, the XML fields are getting parsed incorrectly) so I have...

by Engager in

How to reindex data which is coming from syslog server to splunk ?

Please hlep me how I can reindex data which is coming from syslog server to splunk? Thanks , splunker969

by Communicator in

Tip: Sample pfSense Logs Parsed Here

Hi, I have parsed some pfSense logs. For anyone making an app, please go ahead and use this info. Cheers and us...

by New Member in

Custom Filters

I'm using the Unversal Forwarder to 'monitor' log files on the clients but I just can't index everything forwarded, t...

by Explorer in

Why am I still seeing debug logs in the Splunk heavy forwarder filtering?

I have set the following on transforms.conf and props.conf but I still see DEBUG logs in my search. what did I miss ...

by Communicator in

Can I create an index locally and have it selectively forward specific fields from a source?

Hi all- I have a unique requirement/question, I think. I'm wondering if there is a way in Splunk to set up a heavy...

by Path Finder in

I am unable to remove the standard Blue Coat heades tha begin with the # comment. I have tried several iterations of the nullQueue using REGEX and SEDCMD

This is a copy of the log header and how I currently have the props.conf and transforms.conf configured Software:...

by Path Finder in

Options on installing universal forwarders on "Windows Machines"

Hello All, Im a bit confused with the installation of a UF on the windows machine. According to the documents, there ...

by Communicator in

Splunk UDP Data Input Fails To Send Data

Hi everyone, I am working on a school project where multiple batches of students will work on the same project and...

by Explorer in

Getting Data In

Discussions

Looking for examples for splitting syslog data to separate indexes and transforming sourcetype

How to reduce the hot volume size?

Extract timestamp from the logs

Splunk logging Driver Bringing Down the Entire Docker Swarm Cluster

Should props.conf match inputs.conf?

Script input troubleshoot

Find out the type of logs which are captured when it is using a script \bin\scripts\splunk-wmi.path ?

How do I configure a UF on Linux to receive and forward windows events?

After matching 2 different data sources based on srcip, why is the output none?

Syslog from switch to indexer

I need a config to direct outputs to two different Splunk stacks?

CSV file with last 2 fields XML payloads

How to reindex data which is coming from syslog server to splunk ?

Tip: Sample pfSense Logs Parsed Here

Custom Filters

Why am I still seeing debug logs in the Splunk heavy forwarder filtering?

Can I create an index locally and have it selectively forward specific fields from a source?

I am unable to remove the standard Blue Coat heades tha begin with the # comment. I have tried several iterations of the nullQueue using REGEX and SEDCMD

Options on installing universal forwarders on "Windows Machines"

Splunk UDP Data Input Fails To Send Data

Smart Store Producing a High Volume of 204 and 404...

Ingest messages from slack channels to splunk

Need to give add data capability to user in splunk...

Load Balancing UF to 3rd third party receivers

Dublicated json fields on searchHead