Getting Data In

Discussions

Thread Info

Use the same search for mutiple fields and events?

In order to search for the error records, I use : ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse...

by Explorer in

Use one or two TCP/UDP ports for two different sources of Syslog if I want them in separate sourcetypes

In my app, I want Syslog from two different sources in two different sourcetypes (since they both are of different ty...

by New Member in

How to view same results with different timezone users

Splunkers, Question: All my data sources and Indexers and Search heads are in PST time zone and Indexer time z...

by New Member in

If I change an event's sourcetype, can it then be processed as that sourcetype? Also, can an indexer transform forwarded events?

It seems that the transformation layer only processes an event once. If the factors that influence which props.conf s...

by New Member in

How to configure inputs.conf to blacklist "Account Name" field for EventCode 4656?

Splunk 6.2.6 inputs.conf blacklisting Viewed numerous blogs and answers on similar topics, but can't come up the corr...

by Explorer in

How to send same data source to two or multiple indexes

Consider I have to monitor below log file and send to two or multiple indexes at the same time. ( NOTE: Not indexers ...

by Path Finder in

How to create an 'all time' search with Splunk Ruby SDK?

In the UI, we have an option to search results from the beginning of out log collecting using the 'all time' option. ...

by Engager in

Using transaction to detect timeouts

I would like to use the transaction command to find adjacent log entries with the same IP and different Session IDs. ...

by Path Finder in

Is there a way set CPU and Memory consumption for splunkd process to a particular limit?

We have more than 3000+ forwarders in our environment. Few weeks back unix team has published a report showing all th...

by Communicator in

How to forward data from an indexer to a 3rd party server

Hi, I have the following setup: 3rd Party Server <---- Splunk Enterprise (Indexer):9997 <---- [Splunk Enterpris...

by Path Finder in

Splunk indexer got shutdown with "AdminHandler:ServerControl" error message in splunkd.log

Hi, Splunk Indexer got shutdown on its own and found below error messages in splunkd.log "08-25-2017 16:13:20.7...

by Communicator in

How to use dedup with two event IDs sensitive to time?

Good afternoon, I don't think I'm going to explain this well, but I'll try. I'm currently running a search for Win...

by Path Finder in

Running Splunk in PowerShell on Windows

Hello, I am a totally newbie with Splunk I have set up a universal forwarder. It seems to be working ok and sending s...

by Explorer in

Issue with setting up my forwarders to Syslog servers

Hi, I have the following setup on my heavy forwarder: outputs.conf [tcpout] defaultGroup = default-autolb-grou...

by Explorer in

What's the best way to escape characters in a drilldown if a field value has quotes?

Hi, some of my values have quotes in the string. Using the fieldlist for filtering, Splunk is automatically escapi...

by Motivator in

How to troubleshoot why we are seeing duplicate data when running a search in our indexer clustering environment?

Duplicate data. I am noticing that we are getting 4 identical lines occurring when i issue a search from a search ...

by Explorer in

Is there a way to prevent deletion of indexes?

Hi, We had a "mishap", and a number of indexes ended up getting deleted, due to a bad indexes.conf configuration. ...

by Champion in

Splunk unable to fetch Windows Security eventlogs

We have a Windows Universal Forwader installed as service-user (svcSplunk) with read access to ALL eventlogs. (Window...

by Super Champion in

unexpectedly installed a another instance of splunk on the Linux server on the same path,but the service is not started yet for the new installation.how to get it removed.

ran rpm -e on search head and then ran rpm -I --prefix= Now if I run ./splunk from splunk/bin folder, I am unable to...

by Engager in

How to configure forwarder to only forward events of the current day ?

I have a 20 days events in one log file but i want to monitor today's events only. i tried below stanza but not worke...

by Explorer in

Props/ Transforms problems - Meraki

Hello everyone! I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Cur...

by Explorer in

How can I debug my logs and whitelist a word?

Hi Everyone. How to discard all the debug logs for a sourcetype and whitelist a word "AuthIDDetection" whenever th...

by Path Finder in

How to validate or prove that disabling THP improves performance?

Hi, We are planning to disable Transparent Huge Pages (THP) on our Splunk Cloud Indexer. But the issue is how to v...

by Contributor in

What's the difference between these two transforms stanzas in props.conf?

May I know the difference between writing transforms stanza in props.conf in different ways Ex: transforms-xyz = ...

by Contributor in

JSON data with date not indexed

Hi, I am trying to index JSON data but Splunk refused to index it and I have no errors in logs. The format of my d...

by New Member in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Use the same search for mutiple fields and events?

Use one or two TCP/UDP ports for two different sources of Syslog if I want them in separate sourcetypes

How to view same results with different timezone users

If I change an event's sourcetype, can it then be processed as that sourcetype? Also, can an indexer transform forwarded events?

How to configure inputs.conf to blacklist "Account Name" field for EventCode 4656?

How to send same data source to two or multiple indexes

How to create an 'all time' search with Splunk Ruby SDK?

Using transaction to detect timeouts

Is there a way set CPU and Memory consumption for splunkd process to a particular limit?

How to forward data from an indexer to a 3rd party server

Splunk indexer got shutdown with "AdminHandler:ServerControl" error message in splunkd.log

How to use dedup with two event IDs sensitive to time?

Running Splunk in PowerShell on Windows

Issue with setting up my forwarders to Syslog servers

What's the best way to escape characters in a drilldown if a field value has quotes?

How to troubleshoot why we are seeing duplicate data when running a search in our indexer clustering environment?

Is there a way to prevent deletion of indexes?

Splunk unable to fetch Windows Security eventlogs

unexpectedly installed a another instance of splunk on the Linux server on the same path,but the service is not started yet for the new installation.how to get it removed.

How to configure forwarder to only forward events of the current day ?

Props/ Transforms problems - Meraki

How can I debug my logs and whitelist a word?

How to validate or prove that disabling THP improves performance?

What's the difference between these two transforms stanzas in props.conf?

JSON data with date not indexed

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions