Getting Data In

Discussions

Thread Info

Real Time Search On Dashboard Time Zone

I have a dashboard that has 2 real time search counts and all the other panels are based on scheduled searches. The r...

by New Member in

Batching gzipped files residing in 4 directories into Splunk, is there a way to run parallel batches on a Splunk 6.2.6 Linux universal forwarder?

I am batching gzipped files into Splunk. The files reside in 4 directories. Splunk, per splunkd.log, appears to be re...

by Path Finder in

How can I define new sourcetypes for one single TCP input ?

Hello, I'm trying to implement Splunk on a really big project. My team and I already used a LogLogic solution and ...

by New Member in

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

HI, I have a few large directories that take a long time for Splunk to start indexing after a restart. Is there a...

by Contributor in

How to strip the FQDN from an inputs.conf monitor path using host_segment?

I have files on multiple servers that I need to log that are housed in a directory where the path includes the system...

by Engager in

How to exclude one or more cluster peers from the index replication target list?

As the Cluster Deployments are reaching maturity, we are planning to add a new Cluster Peer/Indexer to the existing C...

by Splunk Employee in

Is it possible for the cluster master to have a different OS than the indexer cluster peers? What are the potential drawbacks?

My Splunk environment has two indexers running on VMs with Linux OS, and I want to create an indexer cluster. My thir...

by Explorer in

What decides the order of the fields output in CSV files from Splunk, and is there a way to control the order?

We output .csv file from splunk. When we test on a test machine, the order of CSV file fields is "Action", "Return...

by Path Finder in

How to configure Splunk for input active files?

Hi, I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Her...

by Builder in

How do I edit my props.conf and transforms.conf to filter select events from one source file from getting indexed?

We have a vanilla install, just one stand alone Splunk Server. I am wanting to filter select events from one source f...

by New Member in

Input files have changed format, so how do I edit my configurations to keep the old data and handle the new data?

Hi, Here is my situation (and I know it isn't ideal, but I have to work with it for now) I have scripts that pr...

by Path Finder in

Is it possible to filter all values in certain fields from our access logs to nullQueue?

Hey, We have a regular access log file with fields named UserAgent and Method. Is it possible to send all data in...

by Path Finder in

What is the proper indexes.conf syntax for moving colddb to another volume?

I would just like to confirm my syntax... I've read a bunch of postings, I've RTFM, but none have an actual sample or...

by Contributor in

Help save fschange! Still seeing great value in keeping fschange (deprecated since 5.x)

When my company first purchased Splunk 4.x fschange was not deprecated and was one of the reasons that we have Splunk...

by Path Finder in

After creating a new sourcetype, where do I find the props.conf for it?

Hello, I created a new sourcetype and there is no props.conf in splunk/etc/system/local.. Where is it stored? o...

by Influencer in

Ingesting AlienVault OTX feed service with Splunk?

Someone recently asked me how they could tie Splunk in with the free AlientVault OTX feed service. Has anyone ever do...

by Splunk Employee in

Why am I seeing "Authentication failed" in the Distributed Management Console for search peers added using CLI commands in a script?

Hi all, I add the search peers by using the CLI commands in a script. When I check the Distributed Management Cons...

by Path Finder in

Getting Data In

Discussions

Real Time Search On Dashboard Time Zone

Batching gzipped files residing in 4 directories into Splunk, is there a way to run parallel batches on a Splunk 6.2.6 Linux universal forwarder?

How can I define new sourcetypes for one single TCP input ?

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

How to strip the FQDN from an inputs.conf monitor path using host_segment?

How to exclude one or more cluster peers from the index replication target list?

Is it possible for the cluster master to have a different OS than the indexer cluster peers? What are the potential drawbacks?

What decides the order of the fields output in CSV files from Splunk, and is there a way to control the order?

How to configure Splunk for input active files?

How do I edit my props.conf and transforms.conf to filter select events from one source file from getting indexed?

Input files have changed format, so how do I edit my configurations to keep the old data and handle the new data?

Is it possible to filter all values in certain fields from our access logs to nullQueue?

What is the proper indexes.conf syntax for moving colddb to another volume?

Help save fschange! Still seeing great value in keeping fschange (deprecated since 5.x)

After creating a new sourcetype, where do I find the props.conf for it?

Ingesting AlienVault OTX feed service with Splunk?

Why am I seeing "Authentication failed" in the Distributed Management Console for search peers added using CLI commands in a script?

Our ISP sends us Exchange log files every hour. What is the best solution to analyze this?

Data Retention - can we copy frozendb to tape?

Why does excludeFromUpdate not work in serverclass.conf?

Get data from WMI to splunk forwarder

Sourcefile name changes at index time - intermitte...

Troubleshoot the Splunk Add-on for Microsoft Cloud...

Salesforce Add-on - Lost my server and trying to r...

Configure Azure Storage Blob Modular Input for Spl...