Getting Data In

Discussions

Thread Info

How to send syslog data to the indexer and another TCP listener?

Need a little help as I have not set this up before. Here is my scenario. I have an APP that can only send syslog ...

by Builder in

Why is the timestamp column missing? Search included "index=index_name"

timestamp column is missing in splunk . While I am searching index=index_name. first column should be with time-stamp...

by Engager in

Permanently delete events from an index

hi, i want to delete from an index only the events i dont need. i know that the delete command only hide events fr...

by Path Finder in

How to parse complete command line information into the event field ?

Hi All, Today we got an request from a user to include the entire information provided in the command line, when chec...

by Motivator in

field extraction disappeard, could this happen after a reinstall of the forwarder

Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but ...

by Path Finder in

Monitor log files with spaces in the file name

hi, I am having issues with splunk universal forwarder monitoring log files with spaces in the name . The file is...

by Builder in

Is there an app that can restart the Splunk universal forwarder service on Windows every 30 minutes?

Hi, I need to deploy an app from deplyment server which will restart the Splunkd UF application installed on Windo...

by Path Finder in

Splunk Forwarding doesn't forward data

We have a single data source from which we want to forward clone data to - splunk server 1(prod) and splunk server 2(...

by Path Finder in

Routing received data TO an external HEC via HTTPS?

Is it possible to route a stream of data from a heavy forwarder or indexer TO an external non-Splunk HTTPS endpoint (...

by Explorer in

Best way to load archived applcation log files without exceeding license?

Our daily license is 15GB we use about 10GB on average. However I want to load our archived application log files whi...

by Engager in

what is the best way to index a lot of data?

Hello everybody, I will set up a platform for a future project and integrate Splunk to analyze all the generated l...

by Path Finder in

2 clusters vs clustered and unclustered vs etc/system/local

We are running a large multi-site clustered indexer environment which is maturing causing us to make some changes to ...

by Path Finder in

Cannot change host field in syslog data

Hi Splunkers, I collect syslog（/var/log/messages） data by Universal Forwarder, not UDP like this. Sep 3 12:42:16 i...

by Contributor in

Why are blacklisted 4663 and 4660 events still showing up?

I am hoping someone can help me out with a filtering blacklist issue I am having. I am currently filtering out event ...

by Path Finder in

Is there a config available that would push out the same format as Snare from a Heavy Forwarder?

Is there a config available that would push out the same format as Snare from a Heavy Forwarder? i.e. UniversalForwar...

by Explorer in

UF compatability for Knoppix and Fedora

Could you suggest the compatible UF package for the Operating system Knoppix and Fedora? I have checked on this li...

by New Member in

Why splunk is not able to index large csv files,

I'm trying to index a 3.5 GB csv file, but splunk is not reading it. Any clues ?

by Explorer in

CSV Import: fieds name are missing, but showing up while uploading process.

Hi there, i tried to upload a csv-file. During Uploading I could separate the fields with a "comma" and the field...

by New Member in

Using Transforms.conf truncates my data at 3925 characters - Why?

Ladies and Gents, I'm struggling trying to transform some of my data. props.conf [st1] NO_BINARY_CHECK = tru...

by Path Finder in

How to extract host field with many other fields in a single transformation step (DEST_KEY versus WRITE_META)

I am playing with a custom format for data going into Splunk on Splunk 7.0, and I am trying to extract fields at inde...

by Champion in

What happens if "DEST_KEY = MetaData:Host"?

May I know the answers for the below questions. what happens if DEST_KEY = MetaData:Host? Does the Host metadata r...

by Contributor in

Apply multiple transforms to a single host

How can I have multiple host stanzas in transforms.conf all be applied? I'd like to pull content out of some entries ...

by Path Finder in

Decrease bundle size

The bundle in the search head has grown upto 776 MB. Its not getting pushed as a result. How to reduce the bundle si...

by Builder in

Filtering data using SHOULD_LINEMERGE

Hi all, I have configured the line breaking parameter as (SHOULD_LINEMERGE = true) to read a log file that contain...

by Communicator in

Combinate SHOULD_LINEMERGE with Filtering

Hi all, I am trying to have a combination of SHOULD_LINEMERGE=true with filtering just to index some lines of the ...

by Communicator in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to send syslog data to the indexer and another TCP listener?

Why is the timestamp column missing? Search included "index=index_name"

Permanently delete events from an index

How to parse complete command line information into the event field ?

field extraction disappeard, could this happen after a reinstall of the forwarder

Monitor log files with spaces in the file name

Is there an app that can restart the Splunk universal forwarder service on Windows every 30 minutes?

Splunk Forwarding doesn't forward data

Routing received data TO an external HEC via HTTPS?

Best way to load archived applcation log files without exceeding license?

what is the best way to index a lot of data?

2 clusters vs clustered and unclustered vs etc/system/local

Cannot change host field in syslog data

Why are blacklisted 4663 and 4660 events still showing up?

Is there a config available that would push out the same format as Snare from a Heavy Forwarder?

UF compatability for Knoppix and Fedora

Why splunk is not able to index large csv files,

CSV Import: fieds name are missing, but showing up while uploading process.

Using Transforms.conf truncates my data at 3925 characters - Why?

How to extract host field with many other fields in a single transformation step (DEST_KEY versus WRITE_META)

What happens if "DEST_KEY = MetaData:Host"?

Apply multiple transforms to a single host

Decrease bundle size

Filtering data using SHOULD_LINEMERGE

Combinate SHOULD_LINEMERGE with Filtering

Introduction to Splunk AI

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions