Getting Data In

Discussions

Thread Info

Indexer cluster Hardware upgradation

Hi, My Splunk environment contains 1 master 6 pears of indexer hosts. I just want to perform the CUP upgrade on my in...

by Path Finder in

How to convert my date and time field into a human readable format?

First, I read similar Question/Answers and was able to follow them for other time formats. These work well but didn't...

by New Member in

Why does my external lookup script not work when called from the search head?

Hi, So, I have set up an external lookup script, following the example of external_lookup.py that is shipped with ...

by Path Finder in

Groovy - Date Format

Hi, This would be very useful If I get any example. I am using Groovy to retrieve savedSearch results. My code ...

by New Member in

インデックス時にファイル名から時刻を取得する方法

ログファイル内に日付、時刻がなく、ファイル名に日付がある場合に、ファイル名の日付を_timeとして認識させることは可能でしょうか？ タイムレンジピッカーによる日付範囲指定を行いたいので、index-timeに_timeに値を設定したい...

by New Member in

How to prevent my transforms.conf been overwrited by webui

Hi, I configured match_type = CIDR(field_name) in my transforms.conf file, and it worked fine. But when I save change...

by New Member in

Can a Splunk search head cluster member also be an indexer?

Brief description: We have 2 large physical machines we would like to use for our new Splunk Enterprise implementa...

by New Member in

Cannot index event because it is larger than mpool size

Hi, i am getting the above message from our indexers from time to time. " Search peer * has the following message:...

by Builder in

Is it possible to run Splunk Light with 2 indexers and a search head?

Hi all, Like the title says, is it possible to run Splunk Light with 2 indexers and a search head? Or is this a S...

by Engager in

How to forward a specific syslog file into Splunk?

Hello all, I'm looking for guidance about a logging problem I am trying to solve. Right now we have a few security...

by Explorer in

Why is Splunk universal forwarder not indexing data from all log files?

Hello I am running Splunk as not root user. my Splunk universal forwarder is not indexing data from all files. ...

by Path Finder in

How to monitor Windows Event Logs that roll to an archive every hour?

I have a WinEventLog://System log which rolls to archive every hour or so. I have 4 questions; 1) is the Splunk Un...

by Path Finder in

How to encrypt password in app outputs.conf?

I am deploying Indexer Cluster settings in an app to multiple Universal Forwarders via the Deployment Server. The iss...

by Path Finder in

SEDCMD to change field name

Hello i have a log event as DEBUG 2017.02.06 17:15:35.385: (common.work) Parsed source address, source='10.0.0.2' i w...

by Path Finder in

Incoming email info from Cisco ESA

I installed the Cisco Security suite as well as the Cisco ESA add-on. I am forwarding the mail_logs from Cisco ESA...

by Path Finder in

How to edit my props.conf to line break before each timestamp in my multi line events?

Hi, I have logs with multi line events and I am trying to line break before the timestamp, but before date there i...

by Explorer in

Is there a version of the universal forwarder that is compatible with Windows Server 2016 for 64 bits?

Hi Splunker, Currently, we are panning upgrade to Windows Server 2016, may i know, will Splunk release latest msi ve...

by New Member in

What folder permission is need to monitor bash_history?

I've been trying to capture bash_history logs but I am not seeing this log populate in Splunk. I am able to get top, ...

by New Member in

After upgrading Splunk to 6.5.x, why is my indexer reporting "Unable to get size on disk for bucket id=..." in splunkd.log?

I have two indexers, a search head, and universal forwarders. Post 6.5 upgrade, I am seeing a ton of these messages o...

by Explorer in

Incremental Update of Events

We would like to use Splunk to dashboard business level metrics. For these metrics, we would like to populate the "cu...

by New Member in

Will Splunk update the host field in indexed events if a universal forwarder's system name is changed?

So after months of battling an issue with our indexers dropping connections, we determined that there was a problem w...

by Path Finder in

Why is renaming an index via transforms.conf and props.conf failing?

Hello. I really hope someone on here will be able to help me out. Long story short: I am having some difficulties ...

by Explorer in

What is incorrect with my regular expression in my inputs.conf file?

Hello, I'm trying to pull in a logfile that is named different on each workstation, using a regular expression in the...

by New Member in

How to force retention time pruning

I have my frozen time set like this frozenTimePeriodInSecs = 47304000 (1.5 years) yet when I do this search | met...

by Motivator in

How to monitor SSH logins to our Splunk server?

Is there a way to monitor Splunk server logon/logoff, basically trying to find the best way to audit access to Splunk...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Indexer cluster Hardware upgradation

How to convert my date and time field into a human readable format?

Why does my external lookup script not work when called from the search head?

Groovy - Date Format

インデックス時にファイル名から時刻を取得する方法

How to prevent my transforms.conf been overwrited by webui

Can a Splunk search head cluster member also be an indexer?

Cannot index event because it is larger than mpool size

Is it possible to run Splunk Light with 2 indexers and a search head?

How to forward a specific syslog file into Splunk?

Why is Splunk universal forwarder not indexing data from all log files?

How to monitor Windows Event Logs that roll to an archive every hour?

How to encrypt password in app outputs.conf?

SEDCMD to change field name

Incoming email info from Cisco ESA

How to edit my props.conf to line break before each timestamp in my multi line events?

Is there a version of the universal forwarder that is compatible with Windows Server 2016 for 64 bits?

What folder permission is need to monitor bash_history?

After upgrading Splunk to 6.5.x, why is my indexer reporting "Unable to get size on disk for bucket id=..." in splunkd.log?

Incremental Update of Events

Will Splunk update the host field in indexed events if a universal forwarder's system name is changed?

Why is renaming an index via transforms.conf and props.conf failing?

What is incorrect with my regular expression in my inputs.conf file?

How to force retention time pruning

How to monitor SSH logins to our Splunk server?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions