Getting Data In

Thread Info

How to enable rest-api?

Hi Team, I'm running Splunk on AWS ec2 instance backed by AWS ALB. I've created target group for port 80,443 & 808...

by Path Finder in

If I have two timestamps in my log file, how can I choose one timestamp as the timestamp of the event?

I have two timestamps in my log as shown below: "#01#20180626-125301;969#19700101-000028;723#0046#01#GROUND#Y#4Y16...

by New Member in

Would monitoring files with logrotate and delayed compression cause reindexing?

If I'm monitoring files that are being rotated with an added timestamp, and the rotated files are being compressed af...

by Builder in

Can 6.5.2 indexers co-exist with 7.1.2 indexers?

I will be upgrading 4 indexers from 6.5.2 to 7.1.2. Will I need to stop all 4 indexers, upgrade them all, and then st...

by Path Finder in

How do I keep the Splunk CLI from disappearing in Windows so I can read the output?

Hi I have two Splunk deployments, one running Splunk 7.1.0 on Windows Server 2016 and Splunk 7.1.2 on Windows 10. Whe...

by Path Finder in

Why do Summary Indexing commands help improve Splunk's performance?

Hi, I have a search that will fetch about 5 GB of application logs. In order not to put load on the Splunk instanc...

by Explorer in

How to use datamodel field values in tstats to filter resultant data?

I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can...

by Builder in

How to configure the timezone by sourcetype?

I'm doing like this: FIELD_NAMES = DATAAREAID,RECID,DATAAREAID2,ITEMID,TRANSDATE,SUMOFQTYSEND,SUMOFQTYRET,RECIDLIN...

by Path Finder in

How do I exclude log from sending to Splunk to save quota?

Hi guys. I have daily quota for 3G. but the log is too much. So, I'm trying to exclude some logs, like heart bea...

by New Member in

How to detect the beginning/ending of Daylight Savings Time?

I have a report in which a date/time field is converted from GMT to MST/MDT, depending on if it is currently in Dayli...

by Communicator in

Field Extraction from Source Field in props.conf

Hello, I am going bananas trying to figure out the error in my props.conf. All of my logs are collected using Spl...

by Engager in

Why can't my UF send data from /var/log/messages?

Question: why is /var/log/messages not forwarded to index? My deployment: UF: version 7.1.2 RHEL 6.10 /opt/splu...

by Engager in

How do you collect log within 1 hour from file log rotate?

Dear all, I have file log access /var/log/secure . Use log rotate ( setting daily) I need collect log login fail 3...

by New Member in

Why is my UDP-input data appearing duplicated in the index?

I've carried out two searches to find out splunk is indexing duplicate search results which are from the same host, s...

by Path Finder in

Using SPATH notation in conf files

Hi guys, I need to uto extract fields and values during search time using SPATH notation in props.conf and transforms...

by Explorer in

Why is Splunk not indexing in milli seconds?

Hi All, I configured an input in which the timestamp field is in format 20180830112930314 (%Y%m%d%H%M%S%3N). The s...

by Path Finder in

This XML file does not appear to have any style information associated with it. The document tree is shown below.

This XML file does not appear to have any style information associated with it. The document tree is shown below. ...

by New Member in

HEC: Share a basic hello world script with Ruby to send to HEC?

All, I need to send some data from a Ruby script to HEC collectors. Anyone have a basic hello world script they c...

by Builder in

Not receiving readable logs from Brocade Switches

We have added brocade switches to heavy forwarder via tcp:6514. We are able to receive the logs , but not in a readab...

by Explorer in

How to use blacklist in inputs.conf?

Hi, How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index? ...

by Path Finder in

SNMP -- Correcting date/time output and rogue ap mac address

Hello, I just configured an SNMP-Trap on an RHEL box to send to Splunk. Getting the following output: Agent Ho...

by New Member in

Need help on TIME_FORMAT and TIME_PREFIX

I have a props.comf that is not working for TIME_FORMAT and TIME_PREFIX for the below log structure. Trying to break ...

by Explorer in

How can I override sourcetype and redirect to another index?

Hi Guys, I want to override sourcetype for all events before being indexed and redirect some of those events (those w...

by Explorer in

Why is my Remote File & Directory input not automatically inputting data?

I currently have a Remote File & Directory Data Input on the following log 'C:\Windows\System32\winevt\Logs\Microsoft...

by Engager in

How do you audit for who is disabling Data Input?

Recently, we found one data input for receiving syslog was stopped. We don't know if the service issue is auto sto...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to enable rest-api?

If I have two timestamps in my log file, how can I choose one timestamp as the timestamp of the event?

Would monitoring files with logrotate and delayed compression cause reindexing?

Can 6.5.2 indexers co-exist with 7.1.2 indexers?

How do I keep the Splunk CLI from disappearing in Windows so I can read the output?

Why do Summary Indexing commands help improve Splunk's performance?

How to use datamodel field values in tstats to filter resultant data?

How to configure the timezone by sourcetype?

How do I exclude log from sending to Splunk to save quota?

How to detect the beginning/ending of Daylight Savings Time?

Field Extraction from Source Field in props.conf

Why can't my UF send data from /var/log/messages?

How do you collect log within 1 hour from file log rotate?

Why is my UDP-input data appearing duplicated in the index?

Using SPATH notation in conf files

Why is Splunk not indexing in milli seconds?

This XML file does not appear to have any style information associated with it. The document tree is shown below.

HEC: Share a basic hello world script with Ruby to send to HEC?

Not receiving readable logs from Brocade Switches

How to use blacklist in inputs.conf?

SNMP -- Correcting date/time output and rogue ap mac address

Need help on TIME_FORMAT and TIME_PREFIX

How can I override sourcetype and redirect to another index?

Why is my Remote File & Directory input not automatically inputting data?

How do you audit for who is disabling Data Input?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions