Getting Data In

Discussions

Thread Info

Where does Splunk keep metadata on when a log was indexed?

The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio...

by Explorer in

How can we delete a large index from an indexer cluster?

We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index fr...

by Ultra Champion in

How can we monitor all log files in current directory and sub-directories?

We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and als...

by Ultra Champion in

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Hello I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route lo...

by Communicator in

Does Windows Protected Event Logging work with Splunk?

My company wants to set up Windows 10 Protected Event Logging for sensitive fields (currently this is only done for P...

by Builder in

How to force Splunk use epoch time in the log file as index time

I have following logs from a customer device: 0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,s...

by Path Finder in

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

-health_checkin_date: 2016-10-30T09:45:28.824Z That is the line from a JSON event being sent into my Splunk insta...

by Explorer in

How to restart a universal forwarder remotely via deployment server?

We are facing a few issues whereour endpoints (clients) may have the Splunk service stopped. Can we force a restart o...

by Super Champion in

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

This works in the search bar |makemv delim="|", but not when I put that in the props.conf file.

by Path Finder in

Is it possible to add and correct fields for past events?

Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, befor...

by Explorer in

How to forward specific log files to specific indexes?

Hello, I'm trying to figure out the following setup: At the moment we have one rotating log file that should be fo...

by Explorer in

Is there an internal log in Splunk with the number of events that were sent to null queue?

Hi. We have recently been inadvertently sending some events to the null queue, due to a new data source that matc...

by Path Finder in

How to view the port status of Cisco switches and firewalls?

Hello guys, I got Cisco firewalls and switches. Now we enabled syslog but I want to see when a port status goes fr...

by Path Finder in

My server logs data in Korean. How do I change the language to English in Splunk indexer?

Hi, Currently i have a server logging Windows Event Log data in Korean. I need to change that Korean to English when ...

by Explorer in

Has anyone seen duplicate windows server universal forwarders after update?

I have one forwarder that is showing duplicate on my Splunk server. I updated 3 forwarders to test them. It was from ...

by New Member in

Does Splunk count the incoming uncompressed data, or the compressed raw data against your license?

I learned that Splunk compresses the incoming data and creates some index files to point towards compressed raw data....

by Contributor in

How to monitor a structured XML log file without indexing duplicate events?

Hi forum, I'm trying to monitor an xml structured logfile like this: <Events> <Event>line1</Events> <Event>line...

by Contributor in

universal forwarder deployment on a windows fails?

Hi users, I recently installed universal forwarder on a Windows machine, aiming to forward logs from there to the ...

by Communicator in

Route data to separate index based on CIDR

I have a requirement to route data that falls within two /24 CIDR ranges to a separate index, say 10.0.1.0/24 and 10....

by Communicator in

Can I configure transforms.conf to route data to different sourcetypes and indexes based on host?

Hi, I have a bunch of different hosts going to a network port for syslog and need to route to different indexes/so...

by Champion in

Getting Data In

Discussions

Where does Splunk keep metadata on when a log was indexed?

How can we delete a large index from an indexer cluster?

How can we monitor all log files in current directory and sub-directories?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Does Windows Protected Event Logging work with Splunk?

How to force Splunk use epoch time in the log file as index time

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

How to restart a universal forwarder remotely via deployment server?

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

Is it possible to add and correct fields for past events?

How to forward specific log files to specific indexes?

Is there an internal log in Splunk with the number of events that were sent to null queue?

How to view the port status of Cisco switches and firewalls?

My server logs data in Korean. How do I change the language to English in Splunk indexer?

Has anyone seen duplicate windows server universal forwarders after update?

Does Splunk count the incoming uncompressed data, or the compressed raw data against your license?

How to monitor a structured XML log file without indexing duplicate events?

universal forwarder deployment on a windows fails?

Route data to separate index based on CIDR

Can I configure transforms.conf to route data to different sourcetypes and indexes based on host?

Module 4 data upload fail without errors

serverclass.conf whitelist from pathname not worki...

How to produce stats with based on a field clientI...

Connect to your Azure Storage account with the Spl...

DataParserVerbose - Accepted time format has chang...