Getting Data In

Discussions

Thread Info

how does time synchronization work between forwarder and indexer?

Hi we have hosts sending logs to indexer using universal forwarders. The hosts are spread across different time zones...

by Loves-to-Learn Lots in

how to handle thousands of events with the same timestamp...

Hi, I have a feed that collects snmp performance stats every 5 minutes. I am parsing this logfile with a heavy for...

by Champion in

Can't delete Events

Hello, we got some Events, which we need to clean up. So we need to wipe them: $HOME/bin/splunk search 'index=i...

by Communicator in

Why am I getting "access denied" when trying to edit inputs.conf on a Windows universal forwarder?

Recently I have configured a universal forwarder on a Windows 32 bit machine. I can see the Splunk process is running...

by Path Finder in

Splunk forwarder is logging data but why is Splunk Enterprise not showing the data in Splunk Web?

Splunk Forwarder metrics log on application node : metrics.log:05-19-2017 13:09:07.625 -0500 INFO Metrics - group...

by Observer in

How to read syslog events in Linux CLI?

hai, I have installed Splunk on cent-os 6.5 and able to see the syslog events on GUI. I want to see those events o...

by New Member in

How to override an index on per event basis?

So basically, I have a ton of events coming in on UDP 514. Based on the document linked below, I was able to configu...

by Explorer in

How to write the correct TIME_FORMAT and LINE_BREAKER for my sample data?

Hello all, i have a log file in which there is no date in the log events and it might also contain stack-trace ...

by Path Finder in

How to convert "LastBootUpTime" to epoch time (including the timezone offset) in order to get the epoch reported in GMT?

I'm having difficulties converting Microsoft's LastBootUpTime into Epoch taking the timezone offset into account to g...

by Path Finder in

Why is there event duplication via TCP port?

Can anyone help me and clarify why Splunk duplicates events received from TCP port? The same type of events received ...

by Explorer in

How to configure Splunk to aggregate security access event logs?

I was hoping that I could get security events with the forwarder. I installed the forwarder but all I am getting are ...

by New Member in

problem with parsing indexes.conf when creating a new indexer?

hey, im new to splunk , im doing practice for arch lab, i was creating a index in indexes.conf , once i saved and res...

by Engager in

Data getting rollover to Frozen bucket irrespective of frozenTimePeriodInSecs set to 365 days (31536000 secs) for the index

Hi All, Need your help in understanding the reason behind the below behavior. The data in my Index A is getting ro...

by Engager in

I'm looking for some assistance/guidance with a home installation of Splunk...

Hey there Splunk gurus. I'm very new to Splunk and hoping for a little guidance. I have Splunk Enterprise with the...

by Engager in

how can i get the data from my Pc windows to my splunk entreprise running on linux fedora25

I install spunk enterprise on fedora server on virtual server(VM12 pro) and I try to get the data in ,then I install ...

by New Member in

Line breaking powershell output

I've attempted multiple times mixing up LINE_BREAKER, BREAK_ONLY_BEFORE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, no...

by Path Finder in

What are the dependencies for Universal Forwarder setup on Linux?

We are trying to install Universal Forwarder package (v 6.4.1) using the yum command by making use of the Splunk rpm ...

by Explorer in

How to configure Splunk to line break events into multiple lines instead of one line?

I have events coming in all in one line like: timestamp="2017-5-19 13:00:00.000", level="INFO", machine_name="bla...

by Engager in

taking the source file path and creating a field

if i wanted to take the app_name from the path of the source and create a field via the CLI of the input how would i ...

by Contributor in

indexing issue with IIS logs (File will not be read, seekptr checksum did not match)

I'm supporting a system where we have deployed servers that are uploading their IIS logs to a central location. The i...

by Contributor in

Why is data segregation by index not displaying events?

I'm trying to segregate data coming from a specific Heavy Forwarder using a specific index (my_index). So as per Answ...

by Path Finder in

How to get size counters for Splunk indexes over a period of time to check how fast volume utilization is growing?

Hi Splunk experts, Here is a search request: | eventcount summarize=false report_size=true index=* | eval GB = ...

by Path Finder in

MUST_BREAK_AFTER seems ignored

I've got the following in the log file: [80c729cb-d0fd-48a1-bdc8-f46219bce681] signed_in_user=abcdef [80c729cb-d0f...

by New Member in

When I search for _json sourcetype, I am not getting the results as highlighted

When I search for _json sourcetype, I am not getting the results as highlighted like json sourcetype should have been...

by Path Finder in

How to edit inputs.conf to monitor multiple files with different timestamps from same folder?

I have to monitor 2 files of different source type from same folder with different timestamps continuously for every ...

by Communicator in

Get Updates on the Splunk Community!

Getting Data In

Discussions

how does time synchronization work between forwarder and indexer?

how to handle thousands of events with the same timestamp...

Can't delete Events

Why am I getting "access denied" when trying to edit inputs.conf on a Windows universal forwarder?

Splunk forwarder is logging data but why is Splunk Enterprise not showing the data in Splunk Web?

How to read syslog events in Linux CLI?

How to override an index on per event basis?

How to write the correct TIME_FORMAT and LINE_BREAKER for my sample data?

How to convert "LastBootUpTime" to epoch time (including the timezone offset) in order to get the epoch reported in GMT?

Why is there event duplication via TCP port?

How to configure Splunk to aggregate security access event logs?

problem with parsing indexes.conf when creating a new indexer?

Data getting rollover to Frozen bucket irrespective of frozenTimePeriodInSecs set to 365 days (31536000 secs) for the index

I'm looking for some assistance/guidance with a home installation of Splunk...

how can i get the data from my Pc windows to my splunk entreprise running on linux fedora25

Line breaking powershell output

What are the dependencies for Universal Forwarder setup on Linux?

How to configure Splunk to line break events into multiple lines instead of one line?

taking the source file path and creating a field

indexing issue with IIS logs (File will not be read, seekptr checksum did not match)

Why is data segregation by index not displaying events?

How to get size counters for Splunk indexes over a period of time to check how fast volume utilization is growing?

MUST_BREAK_AFTER seems ignored

When I search for _json sourcetype, I am not getting the results as highlighted

How to edit inputs.conf to monitor multiple files with different timestamps from same folder?

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?

CSAM Reports - 500 ERROR