Getting Data In

Thread Info

Can props.conf and transforms.conf be created in the Deployment Server GUI to push to indexers?

Do props.conf and transforms.conf need to be created in $SPLUNK_HOME/etc/deployment-apps/YOURAPP/local or can it be c...

by Explorer in

How to do the equivalent of a debug/refresh on cluster master master-apps?

I'm updating /master-apps/_cluster/local/indexes.conf and then pushing the bundle. I check the cluster's search head ...

by Builder in

Clone a subset of data

I'd like to send a sample of my prod data to a test env. Is this possible ? for example my prod data from one ...

by Path Finder in

SHA1 issue for splunk 8008 port for DCN vmware

i am using 6.4..4 and by scaning we got issue on 8008 port as SHA 1 alert so how to make 8008 port (vmware DCN port)...

by Path Finder in

How can we send data to 2 different groups of indexers?

Hi We are looking to forward same data to different indexers and we did the below steps for this. We have 2 ap...

by Path Finder in

Parsing error | ERROR LineBreakingProcessor - Line breaking regex has no capturing groups: \"\}

Hey Ninjas, I'm getting the below-parsing error when indexing the JSON formatted events. ERROR LineBreakingProc...

by Path Finder in

How many sources are there and what are the sizes of each sources?

I am trying to write a code where I should be able to count how many 'Sources' are there and the size/linecount of ea...

by Contributor in

Unable to start Splunk universal forwarder on AIX Server - Module Error

On installing the universal forwarder using a service account with full permission (777) and also have tried multiple...

by Contributor in

How to configure props.conf TIME_FORMAT to recognize 2 variations of a timestamp?

I have a log that has time expressed like this 20151218111015. So that would be December 18th, 2015 11:10:15. However...

by Communicator in

how to make this into a transaction: group events under previous field until new field is present

My events all have a sequence (field), however, some events are "multiline". I want to group them together. Example: ...

by New Member in

Inputs defined sourcetype overwrite a specific source using props and transforms

Hi , all my /var/log file are are input configured to redirect to sourcetype=unixlogs and now i would like to redirec...

by Path Finder in

Indexed time and event logged time is mismatching

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please le...

by Explorer in

How to parse the events

Type: VIP Status | Target: /Common/phutan.mayhem.com-80-int-llb | Status: The children pool member(s) either don't ha...

by Contributor in

Indexer's $SPLUNK_HOME /var/run/searchpeers/ excessive disk usage and bundles not being reaped

Problem: Excessive disk space consumed on indexer in $SPLUNK_HOME/var/run/searchpeers to the point where the indexer ...

by Splunk Employee in

DS: Disable specific input (not the app) on a specific UF host

We have one host where one of the inputs in an app distributed by the Deployment Server is causing too much traffic. ...

by Path Finder in

How to GET latest and previous events from a different host?

Hi all , This is my problem : I have a table with time,log and host. sample : host 1 <event log> 2018-06-05 23:...

by Builder in

set search results as the default value of a multi select when the dashboard loads.

Hi guys, for example i have a search that returns 7 id's. What I wanted to do is set those 7 ids as the default value...

by Explorer in

Index only rows that match a pattern

i have a file with following pattern : SERVICESTATE::CRITICAL , which updates everyday. this file also has many other...

by Builder in

Can these ingestion related tasks be completed through the REST API?

Our organization creates new indexes almost daily for one-off/one-shot logs from different customers we work with. Th...

by Builder in

How to monitor [WinEventLog://System] event logs for "Critical" or "Error" event logs only (Level 1 and 2)

Is there any way to monitor System Event Viewer logs ( [WinEventLog://System] ) for Event Level set to "Critical" and...

by Builder in

Issue in Data Parsing for extracting the field .

Hi Team, I’m struck in parsing the data, please advise how to handle the data. In the log of an application a ...

by Explorer in

Change Time Window Filter to another type of filtering

In the Time Window Filter, I can filter through events based on the time they arrived However, I would lik...

by Explorer in

how to split multiline JSON events/ Group multiline JSON event.

HI, Log File [ { "name" : "TraderCurrency", "type" : "RiskBreakdown", "duration" : 1173, "count" : 1, ...

by Builder in

How can I anonymize fields of data that has undergone indexed extractions?

I'm on a standalone Splunk environment. I've got some .csv files, and I'd like to use indexed extractions for them as...

by SplunkTrust in

Universal forwarder not forwarding

Hello, I'm trying to forward logs from azLog (Azure log integration) into my splunk indexer. Both are running on AWS ...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Can props.conf and transforms.conf be created in the Deployment Server GUI to push to indexers?

How to do the equivalent of a debug/refresh on cluster master master-apps?

Clone a subset of data

SHA1 issue for splunk 8008 port for DCN vmware

How can we send data to 2 different groups of indexers?

Parsing error | ERROR LineBreakingProcessor - Line breaking regex has no capturing groups: \"\}

How many sources are there and what are the sizes of each sources?

Unable to start Splunk universal forwarder on AIX Server - Module Error

How to configure props.conf TIME_FORMAT to recognize 2 variations of a timestamp?

how to make this into a transaction: group events under previous field until new field is present

Inputs defined sourcetype overwrite a specific source using props and transforms

Indexed time and event logged time is mismatching

How to parse the events

Indexer's $SPLUNK_HOME /var/run/searchpeers/ excessive disk usage and bundles not being reaped

DS: Disable specific input (not the app) on a specific UF host

How to GET latest and previous events from a different host?

set search results as the default value of a multi select when the dashboard loads.

Index only rows that match a pattern

Can these ingestion related tasks be completed through the REST API?

How to monitor [WinEventLog://System] event logs for "Critical" or "Error" event logs only (Level 1 and 2)

Issue in Data Parsing for extracting the field .

Change Time Window Filter to another type of filtering

how to split multiline JSON events/ Group multiline JSON event.

How can I anonymize fields of data that has undergone indexed extractions?

Universal forwarder not forwarding

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?

CSAM Reports - 500 ERROR