Getting Data In

Thread Info

Fortinet logs collected through syslog TCP with SC4S are not splitted correctly

Hi all, I'm struggling with an issue related to collecting Fortinet Fortios events through SC4S. If I use UDP proto...

by Explorer in

WIndows 7 support

I was trying to download the universal forwarder for windows 7 32 bit OS, but i can see only windows 8, 8.1, 10 OS. ...

by Communicator in

CITRIX onboard via SC4S - no events in splunk

Hi, I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3. Also, I have SC4S running version 3.3...

by Contributor in

Streamfwd pcap filter compilation error

I'm attempting to set up an Independent Stream Forwarder on a RHEL machine to collect netflow data, and have it forwa...

by Observer in

Request for Best Practices on Collecting Essential Data from Endpoints to Splunk

Dear Splunk Community, I am currently working on a project focused on identifying the essential data that should be...

by Explorer in

Split JSON array into individual events on HF

We've logs coming to HEC as nested JSON in chunks; We're trying to break them down into individual events at the HEC ...

by Builder in

sc4s index re-route

Hi Folks,New to Splunk and SC4S deploymenet. So far I have been able to make good progress. I have setup 2 SC4S serve...

by Engager in

call not properly authenticated

Response Code: 401Response text: <?xml version="1.0" encoding="UTF-8"?><response><messages><msg type="WARN">call not ...

by Explorer in

UF keep looking for removed input stanza

I have this kind of weird custom app (and dangerous too) that changes the UF Instance GUID. Basically, I created a ....

by Explorer in

Defining Timestamp for HEC Input

I'm running into a strange issue where Splunk is using the current time for a HTTP Event Collector input rather than ...

by Communicator in

Splunk Answers Content Calendar May 2025 🎉

Hello Splunk Community! Welcome to the first post of the Splunk Answers Content Calendar  This week, I'll...

by Community Manager in

i am using openshift 4.16.32 and i used helm for splunk-otel-collector and i get this error in the pods

2025-05-06T13:50:00.857Z error helper/transformer.go:118 Failed to process entry {"otelcol.component.id": "filelog", ...

by New Member in

Redirecting specific logs using a regex

Hi splunk community, I have a question on logs cloning/redirection Purpose : Extract logs containing "network-gue...

by Path Finder in

Remove the index distributed setup

Hi, After setting up a test index and ingesting a test record, I’m now planning to remove the index from the distri...

by Path Finder in

Onboarding MOVEit Server Database logs to Splunk

How to onboard MOVEit Server Database logs which is hosted on prem to Splunk Cloud? What is the preferred method?

by Explorer in

Enabling of Splunk PDF scheduler

Hi Splunk Community, I would appreciate your guidance regarding enabling Scheduled PDF Delivery in Splunk. Currentl...

by Motivator in

DB connection errors- no Http Event Collectors available

Hi,We have db connect connections & inputs created in Splunk HF. We see that it has status=FAILED sometimes and below...

by Explorer in

How to upload a csv from a host that has a universal forwarder?

We have a universal forwarder and the customer has a csv file on this machine that he would like to ingest. The custo...

by Motivator in

How to Drop Events Larger Than 10,000 Bytes Before Indexing?

Hi everyone, I'm working on a use case where I need to drop events that are larger than 10,000 bytes before they ge...

by New Member in

Do not run Powershell script when Splunk starts

Hi, I want to run a Powershell script on a Windows universal forwarder according to a cron schedule. My input looks...

by New Member in

When using the Field Extractor can you use the same name for a field? will it append or add to the original field create

When using the Field Extractor can you use the same name for a field? will it append or add to the original field cre...

by Communicator in

Capability to upload image in Splunk Dashboard Studio

Hi All, Which Capability do i assign to Splunk user to upload image in Dashboard Studio

by Path Finder in

1 hour from indexing to Splunk-Web

Hello, Some of the forwarder installations are behaving strangely.They take an hour for the data to be indexed and ...

by Path Finder in

KV Store initialization has been not completed yet in SHC

Dears,,, The KV Store initialization on our search head cluster was previously working fine. However, unexpectedly,...

by Path Finder in

Unable to remove prefix by SEDCMD in sourcetype but able to run in search

I am trying to remove everything before the { character to preserve the JSON format. I am using SEDCMD-keepjs...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Fortinet logs collected through syslog TCP with SC4S are not splitted correctly

WIndows 7 support

CITRIX onboard via SC4S - no events in splunk

Streamfwd pcap filter compilation error

Request for Best Practices on Collecting Essential Data from Endpoints to Splunk

Split JSON array into individual events on HF

sc4s index re-route

call not properly authenticated

UF keep looking for removed input stanza

Defining Timestamp for HEC Input

Splunk Answers Content Calendar May 2025 🎉

i am using openshift 4.16.32 and i used helm for splunk-otel-collector and i get this error in the pods

Redirecting specific logs using a regex

Remove the index distributed setup

Onboarding MOVEit Server Database logs to Splunk

Enabling of Splunk PDF scheduler

DB connection errors- no Http Event Collectors available

How to upload a csv from a host that has a universal forwarder?

How to Drop Events Larger Than 10,000 Bytes Before Indexing?

Do not run Powershell script when Splunk starts

When using the Field Extractor can you use the same name for a field? will it append or add to the original field create

Capability to upload image in Splunk Dashboard Studio

1 hour from indexing to Splunk-Web

KV Store initialization has been not completed yet in SHC

Unable to remove prefix by SEDCMD in sourcetype but able to run in search

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions