Getting Data In

Start a Conversation

Discussions

Start a Conversation

Thread Info

Generating props.conf and transforms.conf from Splunk web

Hi all Since I'm quite new at this, I was wondering is it possible (on Windows) to generate props.conf and transfo...

by New Member in

Splunk Enterprise: index-time parsing configuration creating/ editing of "props.conf"

Hello, Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/loc...

by New Member in

problems with time stamp extraction

I have been given a log file to ingest into Splunk as part of a Lab exercise, but Splunk it not extracting the time a...

by Splunk Employee in

Collecting Windows eventlogs with whitelist based on word

Hi I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include speci...

by Path Finder in

Taking over an old Splunk deployment, how should I get data forwarded to our Splunk indexer?

Hello, As I've said in a previous post, I am new to Splunk so please excuse the newb questions. I have been tas...

by Explorer in

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have...

by Communicator in

Why are we missing data in Splunk after rsyslog?

Hello, I am missing data in my current setup (about 20 to 30%). Instance A is sending data to Instance B o...

by Explorer in

Feroda logs

Hello. Does anyone have experience with what is reflected in the subject question (Journalctl logs)? I must copy...

by Communicator in

Restarting a universal forwarder on AIX, why do I get error "ulimit - Splunk may not work due to small data segment/resident memory limit"?

Hi, I get the following error when I restart our universal forwarder for AIX, 05-24-2016 18:06:26.872 +0800 I...

by Explorer in

Should a summary index be created on both Search Head and Indexer?

I created a new index (test_summary) in the Indexer for storing summary data. Then I created a new report in Searc...

by Contributor in

How do I configure Splunk to read events by timestamp?

Hello All our logging events start with a time stamp that looks like this: 00:00:23,746 The data in between the...

by New Member in

eof error when reading file

Hello, We recently started to notice that a file that used to be monitored fine is no longer being pulled into spl...

by Splunk Employee in

Why is Splunk importing header fields from CSV files as events?

Hi Guys, I do a data Input from a folder. The folder contains CSV files. Splunk imports all the data in a correct ...

by Path Finder in

Importing data from a CSV file, how do I edit props.conf to assign a specific column to be parsed as _time?

Hi Guys, I do data import from a CSV and I would like set the eventtime ( _time) to a specific column because the ...

by Path Finder in

How to search license usage by indexer server and top 10 host usage per indexer?

Hi All, I got a request to create report for License Usage by Indexer Server and Top 10 Host usage per Indexer Ser...

by Path Finder in

Why am I getting splunkd.log warning "Could not parse mtime for status.csv in search...coercing to time 0"?

Why am I getting the following warning in splunkd.log WARN JobsFeed - Could not parse mtime for status.csv in sea...

by Engager in

User list from Active directory

Hi How to get the user details from the Active directory with OU name using ldapsearch?

by Builder in

Transpose CSV column headers to row

Hello, Is Splunk able to, before or after indexing, transpose column and rows in this way: original file: has col...

by Path Finder in

How to disable the universal forwarder default management port 8089 with a deployment server?

I'm trying to disable the default management point on the universal forwarders (8089) with the deployment server and ...

by Explorer in

After disabling default port 8089 due to app conflict, why is our universal forwarder unable to contact the deployment server?

We found that we have a new server type with a new internal application that is using port 8089 and would not allow t...

by Explorer in

Getting Data In

Discussions

Generating props.conf and transforms.conf from Splunk web

Splunk Enterprise: index-time parsing configuration creating/ editing of "props.conf"

problems with time stamp extraction

Collecting Windows eventlogs with whitelist based on word

Taking over an old Splunk deployment, how should I get data forwarded to our Splunk indexer?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Why are we missing data in Splunk after rsyslog?

Feroda logs

Restarting a universal forwarder on AIX, why do I get error "ulimit - Splunk may not work due to small data segment/resident memory limit"?

Should a summary index be created on both Search Head and Indexer?

How do I configure Splunk to read events by timestamp?

eof error when reading file

Why is Splunk importing header fields from CSV files as events?

Importing data from a CSV file, how do I edit props.conf to assign a specific column to be parsed as _time?

How to search license usage by indexer server and top 10 host usage per indexer?

Why am I getting splunkd.log warning "Could not parse mtime for status.csv in search...coercing to time 0"?

User list from Active directory

Transpose CSV column headers to row

How to disable the universal forwarder default management port 8089 with a deployment server?

After disabling default port 8089 due to app conflict, why is our universal forwarder unable to contact the deployment server?

Docs for DBConnect v2

How do I make sure that my events will always be i...

auto parse json data failed by source type configu...

Specifying a catch-all in inputs.conf?

Why am I getting an SSL Cert Verify Failed Error S...