Getting Data In

Thread Info

How do you exclude all lines with INFO or WARN from being indexed?

I have been reading through a lot of the previous answers to exclusion, but none match what I need. I need to exclude...

by Path Finder in

Splunk Indexing .gz files as compressed/raw data and not the uncompressed version

Attached is an example of the data, I have also extracted the data from the gz files and it was able to import the da...

by Engager in

CSV headers appear as event

I have a CSV file that updates every now and then. I'm monitoring it via Splunk. However, the problem is that the fir...

by Path Finder in

How do I change _internal index sourcetype?

Some how the _internal index changed its sourcetype. How does one go about changing it back? I am not to worried abou...

by Explorer in

Customer wants to manage forwarders with deployment server but we need to insist the batch ingest directory is locked

I've read (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles) that the prece...

by New Member in

How do you verify that multiple indexes are time synced?

We have upwards of 50 different security technologies reporting into Splunk. I'm being tasked with verifying that all...

by Path Finder in

Parsing time_format with random words between date and time

Hi, I'm attempting to extract data and time from a custom text file where date and time are split across two lines...

by Explorer in

Splunk session key usage

HI Team, I am having a hard time getting a response from splunk enterprise server. Here is my use case- I have a r...

by Explorer in

Issue with syslog data getting behind when read from our syslog server with a universal forwarder

We are running Splunk 6.6.3 and have universal forwarders on our syslog servers. We are finding that some of the data...

by Path Finder in

Couldnt able to login web url of splunk

After splunk indexer server restart we are getting 500 inetrnal server error , though the splunk service is up and ru...

by Splunk Employee in

Logs files missed to get index in Indexer from UF

I don't see 3-4 log files missing while searching on Searchhead. Is there any command to check if Splunk has already ...

by Splunk Employee in

How come I can't override _time with props?

Using an HTTP event collector on a heavy forwarder, I receive JSON that comes in as follows: { "env": "prod",...

by Explorer in

I need to be able to detect packets dropped by Juniper SSG firewalls due to the firewalls' anti-spoofing

How can I use SPLUNK to detect packets dropped by the Juniper ScreenOS because of anti-spoofing configuration on the ...

by Engager in

|rest /servicesNS/-/-/search/distributed/peers Get all indexers - capabilities - user role

Hi I am in a bit of urgent issue and cannot figure out solution. I use that rest call to get list of all indexers:...

by Path Finder in

How to set Timestamp that is in the first line of the file

by Path Finder in

How to extract changing headers from multiline event?

Hi all, I am sending a multiline event to Splunk Enterprise. The first row contains metadata, the second row the f...

by Path Finder in

How do you refresh programmatically created Input configurations?

Hi, Im creating new configurations for ModularInput using C# SDK. This is how I do it: service.Configurations.G...

by Explorer in

Are there practical limits to queue sizing on indexers?

We had an issue with parsing queue filling recently. Our oversized event profile is to blame. To address, I increased...

by Influencer in

How do you select a key value based on key name?

I have a log that looks similar to this: `{ "name": "Joe", "variables":[ { "variableName":"age", "variableValue":"...

by New Member in

Splunk - stop auto indexing JSON

Hi, I have a log that looks like the below, 2019-02-27 09:40:23,312 | INFO | [myapp-metrics-publisher] | [myap...

by Path Finder in

index time and event log time is mismatching

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please le...

by New Member in

How do you set the props.conf file to read gz files in Splunk?

Hello, I have gz files on a Windows server that I am monitoring using a universal forwarder and sending it to heav...

by Builder in

Moving files and folders inputs to heavy forwarder

Hi Splunkers, we use approach to collect logs on syslog and than point Splunk on logs with Files & Directories inp...

by Contributor in

Break up multi line event

I'm trying to query for which ports are open on IP ranges, although the data has multiline information. Below is an e...

by Explorer in

Why is props.conf in my deployment-app not getting picked up?

I have a standalone Splunk environment - I have universal forwarders and an indexer/Deployment server which acts as t...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How do you exclude all lines with INFO or WARN from being indexed?

Splunk Indexing .gz files as compressed/raw data and not the uncompressed version

CSV headers appear as event

How do I change _internal index sourcetype?

Customer wants to manage forwarders with deployment server but we need to insist the batch ingest directory is locked

How do you verify that multiple indexes are time synced?

Parsing time_format with random words between date and time

Splunk session key usage

Issue with syslog data getting behind when read from our syslog server with a universal forwarder

Couldnt able to login web url of splunk

Logs files missed to get index in Indexer from UF

How come I can't override _time with props?

I need to be able to detect packets dropped by Juniper SSG firewalls due to the firewalls' anti-spoofing

|rest /servicesNS/-/-/search/distributed/peers Get all indexers - capabilities - user role

How to set Timestamp that is in the first line of the file

How to extract changing headers from multiline event?

How do you refresh programmatically created Input configurations?

Are there practical limits to queue sizing on indexers?

How do you select a key value based on key name?

Splunk - stop auto indexing JSON

index time and event log time is mismatching

How do you set the props.conf file to read gz files in Splunk?

Moving files and folders inputs to heavy forwarder

Break up multi line event

Why is props.conf in my deployment-app not getting picked up?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Parsing Multimetric Logs

SC4S Syslog server update fails during download wi...

SplunkForwarder flooding splunkd.log with reconnec...

Event break multiline PowerShell Transcript Log

uberAgent

Getting Data In

Are you a member of the Splunk Community?

Discussions