Getting Data In

Thread Info

How to validate or prove that disabling THP improves performance?

Hi, We are planning to disable Transparent Huge Pages (THP) on our Splunk Cloud Indexer. But the issue is how to v...

by Contributor in

What's the difference between these two transforms stanzas in props.conf?

May I know the difference between writing transforms stanza in props.conf in different ways Ex: transforms-xyz = ...

by Contributor in

JSON data with date not indexed

Hi, I am trying to index JSON data but Splunk refused to index it and I have no errors in logs. The format of my d...

by New Member in

How can I open the source file belonging to an Event.

If I run a search and then go to one of the Events in the search results, when I click the Source, I get a window wit...

by Engager in

Can a "redundancy" forwarder be triggered to send logs if the primary forwarder is down?

Hi, Is it possible to configure the indexer to index logs from one forwarder only (say forwarder 1) and if logs from...

by Explorer in

Help with setting the hostname path on ~200 servers?

We are pushing out forwarders to over 200 servers this month. I intend to connect the forwarders to a deployment serv...

by Explorer in

Where does batch search write temp files?

I am seeing this error on panels: [indexer01] Streamed search execute failed because: Error in 'BatchSearch': The...

by Motivator in

Help to remove brackets and commas from data, sort into a CSV, and dedup

I have data which looks like the following: [000003074859, 000003075752, 000003224575, 000003228286, 000003235217,...

by Explorer in

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented. W...

by Motivator in

I am looking for clarification on SSL compression settings in relation to security.

Security scans of my forwarders are alerting on "TLS CRIME". I have read the Splunk Answer regarding this but I am a ...

by Path Finder in

How to split json array into multiple events?

Hi , I have this json data which I am unable to parse through any of the props.conf mechanisms. {"meta": {"li...

by Path Finder in

How to exclude Null Values from field extractions

I am building a TA. The issue I am having is the log file has a field error="". Even though it is null the error ...

by Path Finder in

How to filter results based on user value or lack of user value?

I am looking to filter results based on the users. The problem is some of the data doesn't have user value. Curren...

by Builder in

Does anyone have personal experience-based hardware recommendations for these requirements?

Hello, I need hardware recommendations for the following scenario: 1 Search Head Indexer Cluster (search factor...

by Communicator in

Why do we have SSL issues after installing a Splunk Universal Forwarder?

Installed Splunk forwarder 6.6.2 on an OpenStack controller node using the rpm package. We are now having problems wi...

by Explorer in

Palo Alto Networks syslog: 1 host is ingested with incorrect date

Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directo...

by Contributor in

_internal index data not archiving/deleting after 30 days.

Hi guys, I was wondering if anyone knows why my _internal index information is not archiving/deleting from frozen...

by Communicator in

Where should I point my REST API requests in a distributed deployment?

Hi Splunk Experts, I am writing a script that aims to do a periodic reachability and config check on my Splunk dep...

by Explorer in

How to override Splunk universal forwarder license acknowledgement?

How to override Splunk universal forwarder license acknowledgement on enterprise installation script?

by Communicator in

I have 100 alerts configured with certain condition, I have to change the condition but don't want to go to every alert and change the condition instead change in 1 place and it should change in all the places

I have 100 alerts configured with certain condition, I have to change the condition but don't want to go to every ale...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to validate or prove that disabling THP improves performance?

What's the difference between these two transforms stanzas in props.conf?

JSON data with date not indexed

How can I open the source file belonging to an Event.

Can a "redundancy" forwarder be triggered to send logs if the primary forwarder is down?

Help with setting the hostname path on ~200 servers?

Where does batch search write temp files?

Help to remove brackets and commas from data, sort into a CSV, and dedup

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

I am looking for clarification on SSL compression settings in relation to security.

How to split json array into multiple events?

How to exclude Null Values from field extractions

How to filter results based on user value or lack of user value?

Does anyone have personal experience-based hardware recommendations for these requirements?

Why do we have SSL issues after installing a Splunk Universal Forwarder?

Palo Alto Networks syslog: 1 host is ingested with incorrect date

_internal index data not archiving/deleting after 30 days.

Where should I point my REST API requests in a distributed deployment?

How to override Splunk universal forwarder license acknowledgement?

I have 100 alerts configured with certain condition, I have to change the condition but don't want to go to every alert and change the condition instead change in 1 place and it should change in all the places

Files not reindexing even after deleting the fishbucket

Heavy Forwarder losing data when forwarding data from HTTP Event Collector

How can I parse data before it is forwarded?

Can I call REST Endpoint of Universal Forwarder to pass log data from code?

How to change settings on a forwarder via REST API?

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey

Power Platform audit logs

Trying to extract fields from a hybrid log Syslog/...

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Getting Data In

Are you a member of the Splunk Community?

Discussions