Getting Data In

Discussions

Thread Info

Process of Indexed Extraction Configuration

Hi All! I'm currently running into a very weird situation with a Splunk instance I inherited. I setup the props.co...

by Path Finder in

What can be the effects of rebooting a server without taking the forwarder down cleanly?

Many of the forwarders here go down when the servers go for maintenance work. What can go wrong with the forwarders w...

by Motivator in

Search Head - props.conf and transforms.conf not taking into effect in apps directory

I have a universal forwarder forwarding key-value-delimited log events to an indexer. I have created an app on the se...

by Path Finder in

Fields Extraction from JSON File

Im monitoring a JSON file and forwarding the data using UF to my indexers . Im having problems to extract the JSON fi...

by Path Finder in

ui_inactivity_timeout - web.conf

has anyone successfully implemented user session timeouts on their SHC? We are experiencing users keeping multiple da...

by Communicator in

How do I ingest logs that have two dots in their name

I have a new client that has files named as follows: xxxx.xxxx.log Splunk is not ingesting them. How can I ingest log...

by Path Finder in

Local props.conf and transforms.conf

When creating the local/props.conf and local/transforms.conf, do I need to copy the entire default/props.conf and def...

by Communicator in

How do I map my personally TZ-adjusted time to another TZ?

Occasionally, we need to do user-TZ-setting-agnostic stuff in a search and so we need to be able to say, despite the ...

by Esteemed Legend in

Data search in JSON format

Good day. I did not find the answer to my question, so I made a new topic. My device sends data from IDS in JSON form...

by New Member in

passing source script file name in another field before indexing

i have a script which will be executed from inputs.conf but i need the script file name in a new field instead of sou...

by Builder in

i need to index the source field value into new fields during index time

please help me in indexing source field value into new fields value during index time. please help with transform/pro...

by Builder in

How to pass value to python script from a Input.conf

i need to pass the host value in the URL from external file to the python script. how to pass it through conf file? p...

by Builder in

How to prevent linux_message_syslog input from overriding the FQDN of the host sent from a universal forwarder?

All, I have an input in linuxmessagesyslog that seems to be working fine, but the universal forwarder is providin...

by Builder in

How to create a new field with static value during index time

I want to append new field with static value to the data during index time. how to create with props.conf/transfor...

by Builder in

buckets - Frozen and Thawed bucket

Hi, As soon as data moves from cold to frozen bucket it gets deleted? How data moves from frozen bucket to Thawed ...

by Contributor in

Props.conf: Why isn't my mask working?

I'm trying to mask out of the log below and I'm not sure what I'm doing wrong. log: [22/Apr/2020:19:29:57 -0400...

by New Member in

Anyone have a walk through for configuring letsencrypt with the HEC endpoit?

All, Setting up a Splunk instance and in the past I used a load balancer that handled certs for me. But this inst...

by Builder in

Parse nested JSON where the object names are different

I have this application log that is made up of nested JSON { "status": "OK", "next": null, "data": { "Ev...

by Path Finder in

How to display the source for every event in search results without clicking drop-down?

Is there a way to show the source for an event in the results for a search? I am wanting to see the complete source f...

by New Member in

Why did Splunk restart heavy forwarder?

Got an alert for a HF restarting and trying to find the root cause of unexpected restart. I'm using the search below ...

by Path Finder in

Getting Data In

Discussions

Process of Indexed Extraction Configuration

What can be the effects of rebooting a server without taking the forwarder down cleanly?

Search Head - props.conf and transforms.conf not taking into effect in apps directory

Fields Extraction from JSON File

ui_inactivity_timeout - web.conf

How do I ingest logs that have two dots in their name

Local props.conf and transforms.conf

How do I map my personally TZ-adjusted time to another TZ?

Data search in JSON format

passing source script file name in another field before indexing

i need to index the source field value into new fields during index time

How to pass value to python script from a Input.conf

How to prevent linux_message_syslog input from overriding the FQDN of the host sent from a universal forwarder?

How to create a new field with static value during index time

buckets - Frozen and Thawed bucket

Props.conf: Why isn't my mask working?

Anyone have a walk through for configuring letsencrypt with the HEC endpoit?

Parse nested JSON where the object names are different

How to display the source for every event in search results without clicking drop-down?

Why did Splunk restart heavy forwarder?

Salesforce Add-on - Lost my server and trying to r...

Configure Azure Storage Blob Modular Input for Spl...

syslog

VMware addon in unable to collect data from vcente...

rsyslog configuration and receiving results on dif...