Getting Data In

Ask a Question

Discussions

Thread Info

Why is my HTTP event collector Indexing slowly?

Fellow Splunksters, I have been able to send data to Splunk via TCP sockets for a while and never had any issues. ...

by New Member in

Heavyforwarder transforms.conf split data into multiple indexes

Hello experts, Need help. My requirement is to extract 1st set of lines into 1st index and 2nd set into 2nd index....

by Builder in

Is it possible to use Splunk to Alert on too many users per license or expiring licenses for Office365?

Well the title says it all, I want to create an Alert for licenses that are approaching the max amount of users or ar...

by Path Finder in

Show Failed Login by user, IP Address

Experts, We are a financial institution using Splunk to capture Failed login count by username and IP address. We ...

by New Member in

How to configure Smartstore for both warm and frozen buckets

I've read through the posts and cannot find an answer to this, forgive me if i missed a relevant post. I'm specifi...

by Explorer in

SEDCMD regex json in props.conf doesn't work but works in regex01 and sed command line

Hello, i got a json which looks like this: https://pastebin.com/xHebS2x3 i need to get rid of the field 'sql...

by Path Finder in

ARM treasuredata integration with Splunk

hello experts, I am in the process of integrating ARM treasuredata with splunkis there any standard way of integratio...

by Explorer in

Connection issues: when I created a new indexer, our data is not showing up.

There are a couple of indexes in inputs.conf. I just added a new index with a new port. All other indexes are work...

by Path Finder in

Successfull brute force loggings

I am looking for successfull brute force logins basically I am looking for 5 failed logings followed by 1 successfull...

by Explorer in

Load difference Indexed real-time search versus real-time search

Has anyone real world experience on the difference in the load on a search head if a real time search is executed as ...

by Contributor in

eval output is incorrect when comparing two fields with numeric values

I have a query that has an eval statement that assigns 1 to field 'isTrue' if field 'value1' is greater than field 'v...

by Explorer in

What is the Splunk SPL for matching same values and output to an additional column with a newly defined value?

Hi, I have a field named OS This field is populating multiple values such as below after running the following ...

by Builder in

Palo Alto Syslog being Indexed, but not parsed

I saw the other forum posts, and they are not the same Issue i am having. I have configured the PA to directly send s...

by New Member in

In Splunk Enterprise 7x, how do you get results of a search based on CSV content?

Splunk Enterprise 7x I am basically trying to get this to work: https://answers.splunk.com/answers/519950/ho-to...

by New Member in

Index rebalance - How to rebalance only Warm Buckets

We've recently added 50% more indexers. After rebalancing the cluster, we're finding that we still have a gap on our ...

by Contributor in

Add-On calling HEC

Hi, I am trying to collect data via a REST API and store it as a metric using the add-on builder and python. Unfor...

by Path Finder in

Forwarder stop reads monitored logs after restart

Hi to all, I have several Forwarders on Windows that monitor more than 20k items each (folder and logs inside them...

by Path Finder in

Stanza to select Nginx log files

I want to forward some Nginx log files. Nginx log files look like: - server-access.log - server-access.log-20180102 -...

by Explorer in

Can you parse time from events created from alert actions?

Hello, I am struggling to figure out why I can't parse the time correctly from an event created as part of an aler...

by Engager in

Can you help me with my data filtering query?

I am trying to filter the data sourcetype= WinEventLog:Microsoft-Windows-Sysmon/Operational , sourcetype=WinEventLog:...

by Communicator in

How to install splunk universal forwarder on multiple windows system with powershell script?

I want to install universal forwarder on multiple windows machine. I tried using this command Invoke-Command -...

by Contributor in

Why am I getting high CPU and high memory on universal forwarder even though we have very little data coming into Splunk?

Hi, We are using a forwarder (7.1.6) and we are seeing high CPU and high memory for Splunk forwarder (One whole co...

by Influencer in

what is _meta in DEST_KEY field in transforms.conf and what it does and where it reflects and when we are writing _meta in DEST_KEY filed then we have to write $0 at start in FORMAT so what it means and why we have to do so?

i made whole transforms.conf and prop.conf for a data in splunk and analyse FORMAT in transform.conf with $0 and with...

by Engager in

Using props.conf on SplunkUniversalForwarder to denote TimeZone

TimeZone specification in props.conf on a SplunkUniversalForwarder instance does not appear to be working for me. ...

by New Member in

Am I using splunk-ansible playbook for role splunk_standalone correctly?

Hi there, I am writing ansible playbooks that configure my local splunk universal forwarders. To setup a mock rece...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why is my HTTP event collector Indexing slowly?

Heavyforwarder transforms.conf split data into multiple indexes

Is it possible to use Splunk to Alert on too many users per license or expiring licenses for Office365?

Show Failed Login by user, IP Address

How to configure Smartstore for both warm and frozen buckets

SEDCMD regex json in props.conf doesn't work but works in regex01 and sed command line

ARM treasuredata integration with Splunk

Connection issues: when I created a new indexer, our data is not showing up.

Successfull brute force loggings

Load difference Indexed real-time search versus real-time search

eval output is incorrect when comparing two fields with numeric values

What is the Splunk SPL for matching same values and output to an additional column with a newly defined value?

Palo Alto Syslog being Indexed, but not parsed

In Splunk Enterprise 7x, how do you get results of a search based on CSV content?

Index rebalance - How to rebalance only Warm Buckets

Add-On calling HEC

Forwarder stop reads monitored logs after restart

Stanza to select Nginx log files

Can you parse time from events created from alert actions?

Can you help me with my data filtering query?

How to install splunk universal forwarder on multiple windows system with powershell script?

Why am I getting high CPU and high memory on universal forwarder even though we have very little data coming into Splunk?

what is _meta in DEST_KEY field in transforms.conf and what it does and where it reflects and when we are writing _meta in DEST_KEY filed then we have to write $0 at start in FORMAT so what it means and why we have to do so?

Using props.conf on SplunkUniversalForwarder to denote TimeZone

Am I using splunk-ansible playbook for role splunk_standalone correctly?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!