Getting Data In

Discussions

Thread Info

How to change sourcetype on indexer based on the value of source?

Hi, My data flows in from the forwarder where index=idx1 and sourcetype=sourcetypeA have been set using inputs.con...

by Path Finder in

How do I pull service status for Windows in an efficient manner?

I know the WinHostMon input can be used to poll the status of all the services on a host, but it also outputs a lot o...

by Communicator in

Why is the Universal Forwarder also sending internal logs when only told to send certain data to different indexer via _TCP_ROUTING in inputs.conf?

We have a single inputs.conf stanza that sends the data from "targetLog.log" to a different indexer, "indexerB", than...

by Explorer in

Windows Server 2016 compatibility

Hello Where can I find Information about Windows Server 2016 compatibility (universal forwarder)? Regards

by Path Finder in

running down indexer congestion problems

Hi, I'm running into occasional errors from one of my indexers reporting "skipped indexing of internal audit event...

by Path Finder in

disable all inputs

Hello, I'd like to disable all the input on the SplunkTAmicrosoft_ad, is there a handy way to do this? for example...

by Path Finder in

How to check if Heavy Forwarder is autoload balancing properly ?

I am forwarding some logs from a Heavy Forwarder to 2 indexers. I want to check if forwarder is balancing load/distri...

by Path Finder in

How to find out what the default settings sourcetype that Splunk has set to for a data file in Splunk 6.2+

Hi, I have a log file that I need to import into Splunk and I want to get it as efficient as possible, as there is...

by Communicator in

CSV inconsistent field value

Hello Splunkers, So I have this csv file that a certain field contains 10+ numbers. Please see sample image below...

by Builder in

why my indexers are indexing more than the hotdata maxVolumeDataSizeMB

Hi, I'm facing some issue that our indexers are not following the local indexes.conf settings in my local indexes....

by New Member in

Cisco ironport syslog broken pipe

Hello I configured Splunk to handle TCP syslog from ironport appliances: [tcp://514] connection_host = dns inde...

by Path Finder in

How to configure Splunk to index a one line JSON file with 55,000 characters?

I have been trying to index a one line JSON file with 55,000 characters in a single line. Splunk seems to cut it off ...

by Path Finder in

sending AIX audit log stream to splunk

I was having major issues getting splunk to work with the "text" file that we are pushing all AIX commands to. Ori...

by Communicator in

Index only the first line and ignore the rest.

Hello I have few files for which I want to index just the first line and ignore everything else as its purely bein...

by Motivator in

How to convert an event INTO JSON

[Not really a question, but wanted to document and share with the community...] So, I had a customer that liked ho...

by Path Finder in

How to filter the data in my log before indexing?

HI I have a scenario where I need to filter the data present in a log. I need to index only the last line from that l...

by Explorer in

Props and transforms: Order of execution of transforms for multiple stanza?

AS per props.conf documentation Use a comma-separated list to apply multiple transform stanzas to a single TR...

by Super Champion in

Extract and Transform Custom Event

I have events with the following format - [Thread-2505_GOOGLE_INT_20170424155901301f9e61-1493049600619-NSRLM_2_1_...

by Contributor in

Does the Windows Active Directory user for Splunk forwarder need "Remote Desktop access" rights?

Hello, Does the Windows user for Splunk forwarder need "Remote Desktop access" rights? In general, what kind of...

by Builder in

Best practice to restrict access to view events by sourcetype?

Is there a best practice to restrict access to events in Splunk by index and sourcetype? I have tested using the ...

by Path Finder in

Getting Data In

Discussions

How to change sourcetype on indexer based on the value of source?

How do I pull service status for Windows in an efficient manner?

Why is the Universal Forwarder also sending internal logs when only told to send certain data to different indexer via _TCP_ROUTING in inputs.conf?

Windows Server 2016 compatibility

running down indexer congestion problems

disable all inputs

How to check if Heavy Forwarder is autoload balancing properly ?

How to find out what the default settings sourcetype that Splunk has set to for a data file in Splunk 6.2+

CSV inconsistent field value

why my indexers are indexing more than the hotdata maxVolumeDataSizeMB

Cisco ironport syslog broken pipe

How to configure Splunk to index a one line JSON file with 55,000 characters?

sending AIX audit log stream to splunk

Index only the first line and ignore the rest.

How to convert an event INTO JSON

How to filter the data in my log before indexing?

Props and transforms: Order of execution of transforms for multiple stanza?

Extract and Transform Custom Event

Does the Windows Active Directory user for Splunk forwarder need "Remote Desktop access" rights?

Best practice to restrict access to view events by sourcetype?

Data Onboarding Strategy

serverclass.conf whitelist from pathname not worki...

Connect to your Azure Storage account with the Spl...

DataParserVerbose - Accepted time format has chang...

how to extract json fields in a mixed type log out...