Getting Data In

Thread Info

How do I keep the Splunk CLI from disappearing in Windows so I can read the output?

Hi I have two Splunk deployments, one running Splunk 7.1.0 on Windows Server 2016 and Splunk 7.1.2 on Windows 10. Whe...

by Path Finder in

Why do Summary Indexing commands help improve Splunk's performance?

Hi, I have a search that will fetch about 5 GB of application logs. In order not to put load on the Splunk instanc...

by Explorer in

How to use datamodel field values in tstats to filter resultant data?

I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can...

by Builder in

How to configure the timezone by sourcetype?

I'm doing like this: FIELD_NAMES = DATAAREAID,RECID,DATAAREAID2,ITEMID,TRANSDATE,SUMOFQTYSEND,SUMOFQTYRET,RECIDLIN...

by Path Finder in

How do I exclude log from sending to Splunk to save quota?

Hi guys. I have daily quota for 3G. but the log is too much. So, I'm trying to exclude some logs, like heart bea...

by New Member in

How to detect the beginning/ending of Daylight Savings Time?

I have a report in which a date/time field is converted from GMT to MST/MDT, depending on if it is currently in Dayli...

by Communicator in

Field Extraction from Source Field in props.conf

Hello, I am going bananas trying to figure out the error in my props.conf. All of my logs are collected using Spl...

by Engager in

Why can't my UF send data from /var/log/messages?

Question: why is /var/log/messages not forwarded to index? My deployment: UF: version 7.1.2 RHEL 6.10 /opt/splu...

by Engager in

How do you collect log within 1 hour from file log rotate?

Dear all, I have file log access /var/log/secure . Use log rotate ( setting daily) I need collect log login fail 3...

by New Member in

Why is my UDP-input data appearing duplicated in the index?

I've carried out two searches to find out splunk is indexing duplicate search results which are from the same host, s...

by Path Finder in

Using SPATH notation in conf files

Hi guys, I need to uto extract fields and values during search time using SPATH notation in props.conf and transforms...

by Explorer in

Why is Splunk not indexing in milli seconds?

Hi All, I configured an input in which the timestamp field is in format 20180830112930314 (%Y%m%d%H%M%S%3N). The s...

by Path Finder in

This XML file does not appear to have any style information associated with it. The document tree is shown below.

This XML file does not appear to have any style information associated with it. The document tree is shown below. ...

by New Member in

HEC: Share a basic hello world script with Ruby to send to HEC?

All, I need to send some data from a Ruby script to HEC collectors. Anyone have a basic hello world script they c...

by Builder in

Not receiving readable logs from Brocade Switches

We have added brocade switches to heavy forwarder via tcp:6514. We are able to receive the logs , but not in a readab...

by Explorer in

How to use blacklist in inputs.conf?

Hi, How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index? ...

by Path Finder in

SNMP -- Correcting date/time output and rogue ap mac address

Hello, I just configured an SNMP-Trap on an RHEL box to send to Splunk. Getting the following output: Agent Ho...

by New Member in

Need help on TIME_FORMAT and TIME_PREFIX

I have a props.comf that is not working for TIME_FORMAT and TIME_PREFIX for the below log structure. Trying to break ...

by Explorer in

How can I override sourcetype and redirect to another index?

Hi Guys, I want to override sourcetype for all events before being indexed and redirect some of those events (those w...

by Explorer in

Why is my Remote File & Directory input not automatically inputting data?

I currently have a Remote File & Directory Data Input on the following log 'C:\Windows\System32\winevt\Logs\Microsoft...

by Engager in

How do you audit for who is disabling Data Input?

Recently, we found one data input for receiving syslog was stopped. We don't know if the service issue is auto sto...

by New Member in

How to have my JSON output data in separate rows and not a single one?

This is the output of my JSON data. I would want to see it in separate rows and not in a single row. When I do mvexpa...

by Path Finder in

The precise sourcetype setting when importing ESET logs

I currently use the ESET Remote Administrator. However, I can not divide log fields with sourcetype. Please tell me t...

by New Member in

Is it possible to generate the sourcetype based on the source?

We have hundreds of ldap servers ready to be splunked. We would like to generate the sourcetype based on the source. ...

by Ultra Champion in

Why is date not parsing correctly on my search head cluster?

I have 2 splunk environments a DEV and PROD. I am send events from same syslog source. I have this date parsing: T...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How do I keep the Splunk CLI from disappearing in Windows so I can read the output?

Why do Summary Indexing commands help improve Splunk's performance?

How to use datamodel field values in tstats to filter resultant data?

How to configure the timezone by sourcetype?

How do I exclude log from sending to Splunk to save quota?

How to detect the beginning/ending of Daylight Savings Time?

Field Extraction from Source Field in props.conf

Why can't my UF send data from /var/log/messages?

How do you collect log within 1 hour from file log rotate?

Why is my UDP-input data appearing duplicated in the index?

Using SPATH notation in conf files

Why is Splunk not indexing in milli seconds?

This XML file does not appear to have any style information associated with it. The document tree is shown below.

HEC: Share a basic hello world script with Ruby to send to HEC?

Not receiving readable logs from Brocade Switches

How to use blacklist in inputs.conf?

SNMP -- Correcting date/time output and rogue ap mac address

Need help on TIME_FORMAT and TIME_PREFIX

How can I override sourcetype and redirect to another index?

Why is my Remote File & Directory input not automatically inputting data?

How do you audit for who is disabling Data Input?

How to have my JSON output data in separate rows and not a single one?

The precise sourcetype setting when importing ESET logs

Is it possible to generate the sourcetype based on the source?

Why is date not parsing correctly on my search head cluster?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions