Getting Data In

Thread Info

Can you override sourcetype at inputs.conf without touching other config files ?

Hi all, Seems we have to override the sourcetype to sourcetype other than 'recognized' ones (e.g. syslog) in order...

by Communicator in

Applying different extractions to the same source from different hosts

I have two groups of servers that are both running haproxy, and the logs are in the same location (e.g. /var/log/hapr...

by Path Finder in

Alert when Splunk Universal Forwarder stops working/if uninstalled

Hello, How can I get alerts when Splunk UF is uninstalled on a Windows Machine? Or even if the SplunkForwarder Ser...

by Engager in

Time Log always add 7 hours

hello, i"m a newbie in splunk. i try to display my log file on splunk, but i had a issue here. this in example for...

by New Member in

How to use REST API over port 8089 with the Splunk Web SSL certificate instead of the self-signed certificate?

Let me point out I've checked all the 8089 certificate questions on >answers, but have a slightly different question....

by Communicator in

How to configure in props/transforms.conf to remove the event data which does not contain any information in it?

Hi Splunk experts, Just want to know how can I remove events which does not contain any information in it? Example...

by Motivator in

Does anyone have an updated Dockerfile for 7.1.0?

The docker file for 7.1.0 referenced in Docker hub here: https://hub.docker.com/r/splunk/splunk/ And more specific...

by New Member in

Connection closes with INFO TcpOutputProc - Detected connection to 10.x.x.x:9997 closed.

TCP connection closes after few hours and will not re-establish even after splunk restart. Connection gets re-establ...

by Engager in

Graylog sending to SPLUNK over 9997

I have Graylog forwarding to a UF over port 9997 and I see events streaming in but not being picked up by SPLUNK. I h...

by Path Finder in

universal forwarder is taking about 30GB of Memory - Is this normal?

Hi My universal forwarder is taking about 30GB and my IT guys are asking is this normal. I have just restarted it ...

by Influencer in

Is it possible to list out empty index

Hi, I am working on index="retail_ca", The problem with this index is some days the data is not ingesting in this...

by Communicator in

Additional search in REST API results enpoint

I'm using curl and the REST API to submit a job and fetch the results by search id. What I'd like to do is, rather th...

by New Member in

Is it possible to create a command that launches a powershell script?

We currently have a PowerShell script that queries one of our EDR solutions and returns all data for the specified ho...

by Path Finder in

Forward data from logstash-forwarder to Splunk Indexer

Hi all, we have an ELK-cluster in our company and now we want to have the data, we have in ELK, as well in Splunk....

by Path Finder in

How to split multiple lines of data into a single individual line in splunk?

Hi All, We are monitoring the wtmpx data from the Unix machines via splunk using the Splunk add-on for Unix, based on...

by Motivator in

Why am I unable to boot-start splunk universal forwarder as non-root user on MacOS High Sierra?

Hi there, I'm new to Splunk and am testing out installing splunk forwarder on some Mac clients running High Sierra...

by Engager in

Splunk - Server and Application logs timestamps are different

We have a set of servers where the server Timezone is in PST/PDT but the application running on that server has log t...

by New Member in

Why does the forwarder stops sending data to all configured TCP connections when one connection is not available?

Hello, I'm new to splunk and hope you can help me with this problem. I'm using Universal forwarder to send data fr...

by Engager in

why are my configurations not working even after reboot?

The log files I'm working with are using the log4j syntax, and I'm loading them into splunk through the GUI (not real...

by New Member in

Why is the TIMESTAMP_FIELDS setting in props.conf, on the Universal Forwarder, not taken into account?

I have the issue that the TIMESTAMP_FIELDS setting in the props.conf on the Universal Forwarder is not taken into acc...

by Path Finder in

Forwarder refusing to start

My forwarder was working fine but stopped and I can't get it running again. Running the splunk start command appears ...

by Path Finder in

"ERROR DistributedPeerManagerHeartbeat - A time skew of approximately 61 seconds exists between this search head and peer indexer1"

Hi Splunkers, I'm getting the following error on my search head's splunkd.log: ERROR DistributedPeerManagerHear...

by Communicator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Can you override sourcetype at inputs.conf without touching other config files ?

Applying different extractions to the same source from different hosts

Alert when Splunk Universal Forwarder stops working/if uninstalled

Time Log always add 7 hours

How to use REST API over port 8089 with the Splunk Web SSL certificate instead of the self-signed certificate?

How to configure in props/transforms.conf to remove the event data which does not contain any information in it?

Does anyone have an updated Dockerfile for 7.1.0?

Connection closes with INFO TcpOutputProc - Detected connection to 10.x.x.x:9997 closed.

Graylog sending to SPLUNK over 9997

universal forwarder is taking about 30GB of Memory - Is this normal?

Is it possible to list out empty index

Additional search in REST API results enpoint

Is it possible to create a command that launches a powershell script?

Forward data from logstash-forwarder to Splunk Indexer

How to split multiple lines of data into a single individual line in splunk?

Why am I unable to boot-start splunk universal forwarder as non-root user on MacOS High Sierra?

Splunk - Server and Application logs timestamps are different

Why does the forwarder stops sending data to all configured TCP connections when one connection is not available?

why are my configurations not working even after reboot?

Why is the TIMESTAMP_FIELDS setting in props.conf, on the Universal Forwarder, not taken into account?

Forwarder refusing to start

"ERROR DistributedPeerManagerHeartbeat - A time skew of approximately 61 seconds exists between this search head and peer indexer1"

Event and log timestamps are off by a bit

Encountering a "command not found" error when executing rebuild command

In Splunk hec, what should you check if you cannot search fields from http event collector in SHC?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions