Getting Data In

Discussions

Thread Info

VMware ESXi Syslog Events Showing Up Under Multiple Time Stamps

I currently have the following in my props.conf (real values were replaced by x's) which matches the names of all my ...

by New Member in

How to configure 2 Universal Forwarder instances (Splunk 6.1.3 and 6.3.0) on a single AIX machine?

Hi All, I am planning to configure two Splunk Universal Forwarder instances on one of our AIX machines. Version of...

by Communicator in

Parsing out a 32-char GUID from a nested JSON array

I have a JSON object in Splunk that looks something like this: { "myArr": [ [ "redbull", "2;2cf7...

by New Member in

Is it possible to combine these two search results to create 1 alert?

I have two very different search queries that I am having a hard time combining into one search. Search 1 yields r...

by New Member in

Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?

I have a Python script configured as a data input that generates one JSON object per line containing events. This is ...

by Path Finder in

JSON extractions duplicates. Distributed environment.

Hello, I have in props.conf this configuration (Universal Forwarder) : INDEXED_EXTRACTIONS = json KV_MODE = none D...

by Explorer in

Best Practice for ingesting script as data input in indexing cluster

We have an index cluster with two indexers, a cluster master, and a cluster search head. We want to deploy scripts th...

by Builder in

Difference in license usage and diskspace usage

Hi, I have an index with the following configuration: [index1] coldPath = $SPLUNKDB/index1/colddb homePath = $S...

by Path Finder in

Persistent queues for Windows event logs

Where does Splunk store the persistent queues for Windows logs. I am able to find the TCP and UDP queued logs but can...

by New Member in

How to use transaction command to show Windows time difference between two EventCodes?

I want to capture EventCode=1100 , but I also want to know if EventCode=4608 is created in one minute after EventCode...

by Explorer in

Universal Forwarder Disk Usage

HI Fellow Splunkers, Need some help out here. What would be the minimum Disk Space required when installing a Univ...

by New Member in

What is the correct method to consume symlinks?

Hi, I'm attempting to consume MSSQL ERROR logs from 800+ systems with different log locations. The current appr...

by Explorer in

Is this inputs.conf changing our default index from "Main" to "test" for all forwarders getting apps from the management server?

I inherited a Splunk Enterprise deployment with a deployment management server used to make changes to all forwarders...

by Path Finder in

Getting Data In

Discussions

VMware ESXi Syslog Events Showing Up Under Multiple Time Stamps

How to configure 2 Universal Forwarder instances (Splunk 6.1.3 and 6.3.0) on a single AIX machine?

Parsing out a 32-char GUID from a nested JSON array

Is it possible to combine these two search results to create 1 alert?

Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?

JSON extractions duplicates. Distributed environment.

Best Practice for ingesting script as data input in indexing cluster

Difference in license usage and diskspace usage

Persistent queues for Windows event logs

How to use transaction command to show Windows time difference between two EventCodes?

Universal Forwarder Disk Usage

What is the correct method to consume symlinks?

Is this inputs.conf changing our default index from "Main" to "test" for all forwarders getting apps from the management server?

Running Universal Forwarder with non-administrator service account

IIS filter transform not processing when forwarded from universal forwarder, but does with manual file input?

How can I filter the field only from certain events?

Is it possible to fix a scripted input once it's been indexed?

Why do we get errors for a REST call?

Several of my forwarders are having issues blacklisting the _internal index

INDEXED_EXTRACTIONS = json, fields are extracted as strings, even fields that are numeric only.

unable to push waf logs through HEC- error says HE...

Update Splunk server certificate on Splunk Univers...

ingesting custom device/application logs from AWS ...

Getting Data from OpenVMS into Splunk Cloud

when to use http event collector api to create ven...