Getting Data In

Thread Info

While creating dropdown getting "Duplicate values causing conflict" error

I'm getting "Duplicate values causing conflict" error everytime, while I don't see any duplicate in the search result...

by New Member in

timestamp from XML multivalue

Hello, I am new to Splunk and I have task where I need to configure timestamp from XML file. <root> <day>...

by New Member in

Is it possible to have separate indexes within a single monitored directory?

I have a single directory being monitored. Via Splunk GUI, you can only select a single index for the logs to be outp...

by Explorer in

IIS Logs Count

From an IIS logs, if a user goes to the webpage once but 50 different thing are loaded on the webpage(example images)...

by New Member in

Props.conf EXTRACT stopped working after stanza change

Hello! This morning, i have changed the configuration of an inline extraction in props.conf. The original Extracti...

by Engager in

Indexed events from CSV with NULL values not shown

Hi Splunkers! I have an issue with Splunk 6.3.1 and the indexed data from a CSV file. On my CSV file (separed by s...

by Path Finder in

how to calculate approximate data that needs to be indexed in order to procure licensing as there would be multiple sources

how to calculate approximate data that needs to be indexed in order to procure licensing as there would be multiple s...

by New Member in

Programmatically detect age of oldest record to be sure splunk isn't discarding old data too soon?

I'm looking for suggestions on the best way to programmatically check the age of the oldest record in an index. If I ...

by Engager in

Re-send data with universal forwarder?

When using a lightweight-forwarder we were able to clean the fishbucket (eventdata) so that we could re-forward data....

by Path Finder in

How do we convert msidx v1 to msidx v2?

We have been using the metrics store since version 7.0. We notice that version 7.1 has a huge performance improvement...

by Path Finder in

Connect in splunk Mobile App

I need to configure some archive in my splunk enterprise to connect in Splunk mobile app?

by Explorer in

REST json output different from GUI and CLI

Hello, I used curl to call a REST command from deployment server and saw results are lighter (90 kb for ~ 500 agen...

by Motivator in

How to make Splunk recognize a timestamp that is logged across 2 fields with 3 digit time

I'm currently monitoring a directory of CSV files with a universal forwarder (UF) that has the timestamp split across...

by Communicator in

Why does searching absolute sourcetype name requires a wildcard?

I have configured props.conf and transforms.conf on a Heavy Forwarder in order to split an existing sourcetype into s...

by Explorer in

How to extract date field from the filename in Splunk and assign _time value to that in indexing phase

Hello Everyone, I have text file 20170701.txt where 2017-year, 07-month and 01-date. This file is coming from t...

by Communicator in

When setting up a heavy forwarder, do I need to create an index locally as I do in my indexer cluster?

When setting up a Heavy forwarder, do I need to have the index created locally as I do in my indexer cluster? So I am...

by Builder in

How do you use the indexing/preview API endpoint?

I'd like to create my inputs and sourcetypes via the API in a clustered environment. Then I'd like to send a test fil...

by Builder in

How to forward Windows Event Viewer HPC Server logs with inputs.conf? ,

I currently use inputs.conf file to forward Windows Event Viewer Application logs to Splunk via the following syntax:...

by New Member in

Any idea on where I am going wrong with bash_history timestamping?

All, I am extracting bash_history, the event looks like this. #1510170881 grep -r something * But ends up...

by Builder in

How do I enable a UF to accept REST API commands?

I'm reading through all of the API docs, and I am executing GET API calls against my search head successfully. Howeve...

by Builder in

Logs in an index getting rolled cold to frozen before size or time limits are reached

repFactor = auto homePath = volume:home/indexname/db coldPath = volume:SAN/indexname/colddb thawedPath = $SPLUNK_THAW...

by Contributor in

How do I remove fields from VMWare Add-on before indexing?

I'm currently receiving an excess amount of data from the VMWare app sample below and would like to only keep a few o...

by New Member in

Is there an API call or CLI argument to update the password for the bind user for LDAP authentication?

I have a very large, complex Splunk environment and I need to update the LDAP BIND user password. With over 100 insta...

by Explorer in

props/transforms.conf

Hi, I have the below data and I know that props and/or transforms.conf need to be modified to have the below repor...

by Motivator in

What is a good replacement to monitor Active Directory with Splunk 7.x?

I am trying to monitor changes in Active Directory and found a number of ways to ingest data from AD. Splunk Add-on f...

by Communicator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

While creating dropdown getting "Duplicate values causing conflict" error

timestamp from XML multivalue

Is it possible to have separate indexes within a single monitored directory?

IIS Logs Count

Props.conf EXTRACT stopped working after stanza change

Indexed events from CSV with NULL values not shown

how to calculate approximate data that needs to be indexed in order to procure licensing as there would be multiple sources

Programmatically detect age of oldest record to be sure splunk isn't discarding old data too soon?

Re-send data with universal forwarder?

How do we convert msidx v1 to msidx v2?

Connect in splunk Mobile App

REST json output different from GUI and CLI

How to make Splunk recognize a timestamp that is logged across 2 fields with 3 digit time

Why does searching absolute sourcetype name requires a wildcard?

How to extract date field from the filename in Splunk and assign _time value to that in indexing phase

When setting up a heavy forwarder, do I need to create an index locally as I do in my indexer cluster?

How do you use the indexing/preview API endpoint?

How to forward Windows Event Viewer HPC Server logs with inputs.conf? ,

Any idea on where I am going wrong with bash_history timestamping?

How do I enable a UF to accept REST API commands?

Logs in an index getting rolled cold to frozen before size or time limits are reached

How do I remove fields from VMWare Add-on before indexing?

Is there an API call or CLI argument to update the password for the bind user for LDAP authentication?

props/transforms.conf

What is a good replacement to monitor Active Directory with Splunk 7.x?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Regex works but transforms.conf extracts only part...

Getting Data In

Are you a member of the Splunk Community?

Discussions