Getting Data In

Discussions

Thread Info

Connection issues: when I created a new indexer, our data is not showing up.

There are a couple of indexes in inputs.conf. I just added a new index with a new port. All other indexes are work...

by Path Finder in

Successfull brute force loggings

I am looking for successfull brute force logins basically I am looking for 5 failed logings followed by 1 successfull...

by Explorer in

Load difference Indexed real-time search versus real-time search

Has anyone real world experience on the difference in the load on a search head if a real time search is executed as ...

by Contributor in

eval output is incorrect when comparing two fields with numeric values

I have a query that has an eval statement that assigns 1 to field 'isTrue' if field 'value1' is greater than field 'v...

by Explorer in

What is the Splunk SPL for matching same values and output to an additional column with a newly defined value?

Hi, I have a field named OS This field is populating multiple values such as below after running the following ...

by Contributor in

Palo Alto Syslog being Indexed, but not parsed

I saw the other forum posts, and they are not the same Issue i am having. I have configured the PA to directly send s...

by New Member in

In Splunk Enterprise 7x, how do you get results of a search based on CSV content?

Splunk Enterprise 7x I am basically trying to get this to work: https://answers.splunk.com/answers/519950/ho-to...

by New Member in

Index rebalance - How to rebalance only Warm Buckets

We've recently added 50% more indexers. After rebalancing the cluster, we're finding that we still have a gap on our ...

by Contributor in

Add-On calling HEC

Hi, I am trying to collect data via a REST API and store it as a metric using the add-on builder and python. Unfor...

by Path Finder in

Forwarder stop reads monitored logs after restart

Hi to all, I have several Forwarders on Windows that monitor more than 20k items each (folder and logs inside them...

by Path Finder in

Stanza to select Nginx log files

I want to forward some Nginx log files. Nginx log files look like: - server-access.log - server-access.log-20180102 -...

by Explorer in

Can you parse time from events created from alert actions?

Hello, I am struggling to figure out why I can't parse the time correctly from an event created as part of an aler...

by Engager in

Can you help me with my data filtering query?

I am trying to filter the data sourcetype= WinEventLog:Microsoft-Windows-Sysmon/Operational , sourcetype=WinEventLog:...

by Communicator in

How to install splunk universal forwarder on multiple windows system with powershell script?

I want to install universal forwarder on multiple windows machine. I tried using this command Invoke-Command -...

by Contributor in

Why am I getting high CPU and high memory on universal forwarder even though we have very little data coming into Splunk?

Hi, We are using a forwarder (7.1.6) and we are seeing high CPU and high memory for Splunk forwarder (One whole co...

by Motivator in

what is _meta in DEST_KEY field in transforms.conf and what it does and where it reflects and when we are writing _meta in DEST_KEY filed then we have to write $0 at start in FORMAT so what it means and why we have to do so?

i made whole transforms.conf and prop.conf for a data in splunk and analyse FORMAT in transform.conf with $0 and with...

by Engager in

Using props.conf on SplunkUniversalForwarder to denote TimeZone

TimeZone specification in props.conf on a SplunkUniversalForwarder instance does not appear to be working for me. ...

by New Member in

Am I using splunk-ansible playbook for role splunk_standalone correctly?

Hi there, I am writing ansible playbooks that configure my local splunk universal forwarders. To setup a mock rece...

by Explorer in

How to use Splunk to audit Windows processes created and the users who are running them?

Good evening, I have been trying to figure out a way to get a list of all of the software that runs on my servers ...

by Engager in

Do we need props.conf on the indexer when indexing a csv file?

We use the following props.conf for csv files - [<sourcetype>] disabled = false SHOULD_LINEMERGE = false INDEXED_...

by Ultra Champion in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Connection issues: when I created a new indexer, our data is not showing up.

Successfull brute force loggings

Load difference Indexed real-time search versus real-time search

eval output is incorrect when comparing two fields with numeric values

What is the Splunk SPL for matching same values and output to an additional column with a newly defined value?

Palo Alto Syslog being Indexed, but not parsed

In Splunk Enterprise 7x, how do you get results of a search based on CSV content?

Index rebalance - How to rebalance only Warm Buckets

Add-On calling HEC

Forwarder stop reads monitored logs after restart

Stanza to select Nginx log files

Can you parse time from events created from alert actions?

Can you help me with my data filtering query?

How to install splunk universal forwarder on multiple windows system with powershell script?

Why am I getting high CPU and high memory on universal forwarder even though we have very little data coming into Splunk?

what is _meta in DEST_KEY field in transforms.conf and what it does and where it reflects and when we are writing _meta in DEST_KEY filed then we have to write $0 at start in FORMAT so what it means and why we have to do so?

Using props.conf on SplunkUniversalForwarder to denote TimeZone

Am I using splunk-ansible playbook for role splunk_standalone correctly?

How to use Splunk to audit Windows processes created and the users who are running them?

Do we need props.conf on the indexer when indexing a csv file?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Why are AWX and HEC not working?

Why are source/host/sourcetype fields dropping thr...

How do I get Windows server cipher data into Splun...

Splunk Add on for Microsoft Azure Secure Score- Ho...

Receiving error that “could not load lookup xxx” w...