Getting Data In

Thread Info

Can you help me split a JSON event with regex in props.conf?

Hi guru's: i have JSON data that looks like the below. { "BOMxmlDlTime": 0.6584670543670654, "TODAY-P...

by Path Finder in

Does Splunk Universal Forwarder forward audit events

Does Splunk Universal Forwarder forward audit event logs to Splunk _audit index? I can see Splunk HF's are forwarding...

by Contributor in

Active Directory not send logs for Splunk

Hello, I am using splunk enterprise on linux server. I want to monitor active directory logs. I installed the univ...

by New Member in

I want to take input from forwarder but before that I want to run python script

I want to take input from forwarder but before that I want to run python script, just like in enterprise we can add d...

by New Member in

Change hostname

Hello All, I have several devices on our network that has one interface/IP address in our DMZ and a management IP ...

by Contributor in

Running into errors while disabling the legacy ciphers in splunk 7.2

I am trying to follow the document to disable the legacy ciphers in the Splunk 7.2, and I notice that the cluster mas...

by Splunk Employee in

Xml logs event separation

Hi. I have 10000 xml log output. like : {LOG DATE.../DATE TIME.../TIME CC.../CC AMOUNT.../AMOUNT /LOG} I need to bre...

by New Member in

LDAP pre-cache

If we have multiple users in our organization and do these users expire from the LDAP pre-cache?

by Splunk Employee in

How to configure a sourcetype for JSON data to parse each line as a distinct event?

I have an application that logs out single line JSON statements. For some reason when I load this into Splunk, most o...

by Path Finder in

How to populate Meaningful form of data

Hi Guys, Can you please help me, in framing a query. Like i have this kind of data structure: clk_ctrl: { [-] ...

by New Member in

How do I create a report that can run automatically only when the indexer performs indexing after receiving an input file from forwarder instead of the scheduling with given fixed time ?

How do I create a report that can run automatically only when the indexer performs indexing after receiving an input ...

by Path Finder in

When trying to set up a distributed system, can you help me with the following error?: "Unable to distribute to peer, peer has status=2"

distributed system. splunk 7.1.2 one SH + one indexer In the SH splunkd log: DistributedPeerManager - Distribu...

by Path Finder in

What should the indexer queues be?

After filling the tiny queues on the indexers, we would like to move to bigger queues. We are thinking about the ...

by Motivator in

How do I see all Hosts?

It's only showing "Top 10 Values" for some reason.

by Path Finder in

How to debug why a universal forwarder is parsing files from paths but no data is ingested?

Hi Everyone, I am trying to monitor xml files from a directory in a certain server. But for some unknown reason/s ...

by Path Finder in

Multiple Splunk indexer with same $SPLUNK_DB location

Hi, I have $SPLUNK_DB set up in a NAS storage. But the indexer is installed in a VM (say VM1) running on splunk versi...

by Explorer in

Splunkd Warning: "C:\program files\...\local.meta already exists but with different casing: C:\Program Files\...\local.meta"

Hello fellow Splunkers, We've been tracking down and resolving our Splunkd errors and warnings. This one has us pe...

by Motivator in

How to find the Active Directory and ingest data from it?

Trying to get data from the AD data from the forwarder to Domain Controller. Could not see any settings within Splun...

by New Member in

Splunk is pulling the wrong custom .conf file

I have two apps that are both utilizing the same exact type of custom .conf file. The data in the .conf files are sup...

by New Member in

JSON Split at Index Time

Hi all, I have a JSON file output from a RESTful API service and the log looks something like this: { "Provider...

by Explorer in

Allow only a specified SSL cipher in the splunk forwarder?

Hello, our Nessus scanner show a issue with the 56 bit SSL ciphers which are allowed by the splunk forwarder: ...

by Path Finder in

Limitation of using Forwarder license

Hi I have read splunk docs https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/TypesofSplunklicenses I want to ...

by Builder in

Event breaking not working properly with the regex ([\r\n]+)

Event breaking not working properly with the below regex... props.conf LINE_BREAKER=([\r\n]+) My Log data : ...

by Path Finder in

Is Deployment Client (Universal Forwarder) 6.0 and below is still compatible with Splunk Deployment Server (Splunk Enterprise) 7.0?

Hi All, Just want to ask if Deployment Client (Universal Forwarder) 6.0 and below is still compatible with Splunk ...

by Communicator in

How to create Alert for monitoring splunk forwarder that events is not fetched within the last 5 minutes

Hello, I have multiple scripts in each host which send availability,memory,space details of servers to splunk in ever...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Can you help me split a JSON event with regex in props.conf?

Does Splunk Universal Forwarder forward audit events

Active Directory not send logs for Splunk

I want to take input from forwarder but before that I want to run python script

Change hostname

Running into errors while disabling the legacy ciphers in splunk 7.2

Xml logs event separation

LDAP pre-cache

How to configure a sourcetype for JSON data to parse each line as a distinct event?

How to populate Meaningful form of data

How do I create a report that can run automatically only when the indexer performs indexing after receiving an input file from forwarder instead of the scheduling with given fixed time ?

When trying to set up a distributed system, can you help me with the following error?: "Unable to distribute to peer, peer has status=2"

What should the indexer queues be?

How do I see all Hosts?

How to debug why a universal forwarder is parsing files from paths but no data is ingested?

Multiple Splunk indexer with same $SPLUNK_DB location

Splunkd Warning: "C:\program files\...\local.meta already exists but with different casing: C:\Program Files\...\local.meta"

How to find the Active Directory and ingest data from it?

Splunk is pulling the wrong custom .conf file

JSON Split at Index Time

Allow only a specified SSL cipher in the splunk forwarder?

Limitation of using Forwarder license

Event breaking not working properly with the regex ([\r\n]+)

Is Deployment Client (Universal Forwarder) 6.0 and below is still compatible with Splunk Deployment Server (Splunk Enterprise) 7.0?

How to create Alert for monitoring splunk forwarder that events is not fetched within the last 5 minutes

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions