Getting Data In

Thread Info

Is configuration bundle used to remove an app or add-on?

We are moving to a new Anti-Virus vendor and I will need to add the add-on (TA) for the new vendor. My question conce...

by Contributor in

After upgrading to 6.5.0, why is there a runaway splunkd process using up an entire CPU?

After upgrading to 6.5.0 from 6.4.3 on RHEL5 x86_64-bit, we're noticing a single runway splunkd process chewing up an...

by Engager in

How to correlate Windows Events by Logon_ID field?

I am trying to find a way to correlate two Windows events together to detect a few forms of lateral movement. The cav...

by New Member in

How to avoid indexing events twice when applying crcSalt=

Hello We are indexing a file structure like /opt/logs////. with YYYY=year, MM=month and DD=day. So far, we have n...

by Explorer in

How to prevent error "Bug during applyPendingMetadata, header processor does not own the indexed extractions confs."

Hi, We are seeing lots of the following errors on our forwarders: 11-21-2016 06:23:13.425 +0100 ERROR TailReade...

by Communicator in

Management Console - Indexing Performance shows Queue Fill Ratio's are at 100% (almost)

We have a multi-site cluster and I started noticing in DMC that some of the Queue Fill Ratio's are almost at 100%. Wh...

by Contributor in

Why is my nested JSON event not formatted correctly?

Can Splunk be configured to allow for interpreting JSON objects with multiple-levels of depth? Here's an example: ...

by Builder in

In my Splunk developed app, everything works fine on Linux, but why is an extra line added to the beginning of all config files on Windows?

Hi everyone, I am currently facing the following problem: In my Splunk developed APP, on Linux everything seems to...

by New Member in

Why are my inputs for Windows Network Performance Monitoring counters not working?

Hi all, We're trying to get data from Windows network perfmon counters using the Splunk Universal Forwarder + Data...

by Path Finder in

Where does splunk store the notable events logs and how to know the retention period for the same?

by New Member in

How to figure out index disk space footprint on indexers?

I was struggling to find short and long term estimations on how much space was taken by each index in each state, so ...

by Path Finder in

Is it advisable to deploy heavy forwarders vs universal forwarders to clients?

Is it advisable to deploy heavy forwarders to all clients vs universal forwarders? We have an interest in cutting dow...

by Communicator in

Why did my indexers have a large spike in io?

Hi Folks; Wondering if someone could help me out here. I just had a big issue with Splunk. 3 of my Indexers just c...

by Builder in

Splunk 6.5.2: Why am I unable to add data via HTTP Event Collector?

Working with Splunk 6.5.2. Using following curl command data ingestion fails: $ curl -k https://localhost:8088/se...

by Explorer in

How to parse the British Pound £ sign for currency fields?

Hi, I'm relatively new to Splunk and trying to ingest a cav of transactions in GBP in the format £123.45. I have t...

by New Member in

Is it safe to use a 6.5.2 universal forwarder with a 6.5.1 indexer?

I would like to deploy the latest 64-bit Windows forwarder (6.5.2) but we are still at 6.5.1 for our indexers.

by New Member in

How to monitor a multi line log with a variable number of field value pairs?

We monitor the log output of many file storage systems, some devices have only a few, others have hundreds, but there...

by Communicator in

CSV Field extractions with one field has extra commas with in single quotes

Here is an example of one log: 20170309 10:41:16,hostname.vagrantup.com,username,localhost,155,9823,QUERY,database...

by Explorer in

If the Universal Forwarder doesn't do parsing, why do I see an abundance of "Failed to parse timestamp" errors in splunkd.log?

I'm currently troubleshooting some data inputs from a Universal Forwarder that I have forwarding to an intermediate H...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Is configuration bundle used to remove an app or add-on?

After upgrading to 6.5.0, why is there a runaway splunkd process using up an entire CPU?

How to correlate Windows Events by Logon_ID field?

How to avoid indexing events twice when applying crcSalt=

How to prevent error "Bug during applyPendingMetadata, header processor does not own the indexed extractions confs."

Management Console - Indexing Performance shows Queue Fill Ratio's are at 100% (almost)

Why is my nested JSON event not formatted correctly?

In my Splunk developed app, everything works fine on Linux, but why is an extra line added to the beginning of all config files on Windows?

Why are my inputs for Windows Network Performance Monitoring counters not working?

Where does splunk store the notable events logs and how to know the retention period for the same?

How to figure out index disk space footprint on indexers?

Is it advisable to deploy heavy forwarders vs universal forwarders to clients?

Why did my indexers have a large spike in io?

Splunk 6.5.2: Why am I unable to add data via HTTP Event Collector?

How to parse the British Pound £ sign for currency fields?

Is it safe to use a 6.5.2 universal forwarder with a 6.5.1 indexer?

How to monitor a multi line log with a variable number of field value pairs?

CSV Field extractions with one field has extra commas with in single quotes

If the Universal Forwarder doesn't do parsing, why do I see an abundance of "Failed to parse timestamp" errors in splunkd.log?

How to configure props.conf to index each log file in my directory as a single event?

How to fix Docker container JSON logs from not being formatted correctly?

How to add log data that is currently pulled from a shared folder?

How do I add data into Splunk when logged in as an administrator?

Using Splunk 6.4.2, how to send SNMP traps from Splunk to other systems?

What configurations would be made to inputs.conf in order to have the same log file be monitored on all my servers?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions