Getting Data In

Discussions

Thread Info

How can I debug a TCP feed on a heavy forwarder?

Hi, I need to debug a tcp feed from a load-balancer, on a server where I don't have root or sudo. Is there a props...

by Champion in

Is it better to have Universal Forwarders on each server, or collect logs first in one place, and then forward them to the indexers?

What would be the better solution: deploying Universal Forwarders to each server in the environment or collecting log...

by Contributor in

How to create an alert to trigger an email when a forwarder is stopped on a server?

We have a report which helps us to trigger an alert when the Indexer is down. Is there a way we can monitor if the fo...

by Communicator in

How to filter out a Windows Event Code if the event from a user repeats over a period of time?

I want to capture Windows Event Logs EventCode 4673 when it happens once for each user over a period of one hour. If ...

by Motivator in

Sending rsyslog JSON format

Hello, I have tried today to integrate Splunk with Rsyslog that Contains JSON. The issue is that rsyslog is sendin...

by Engager in

Time format for identifying processing rate

I am trying to get some details from my event text which has the record count and also the processing time. I want to...

by New Member in

On a Linux Splunk Server, how do I ingest Windows CIFS audit files

I have adtlog.evt files I wish to look at from Splunk. How do I do this without using a Windows Splunk server? (I do ...

by Engager in

Monitor input not reading files ?

I'm facing an issue with a monitor input like this: index=myindex disabled=0 sourcetype=mysourcetype crcSalt=salt ...

by Communicator in

splunk-reskit-powershell 401

I'm using splunk-reskit-powershell to access splunk, but running "Connect-Splunk -Credentials $credentials -ComputerN...

by Engager in

Can I call more than one transform from a props.conf stanza?

[tomcat-logs] TRANSFORMS-null = setnullping TRANSFORMS-rename_source = source_clean-YYYY-MM-DD Is that a legitimat...

by Motivator in

Getting additional disk space for a fast growing index. What's next?

We have a fast growing index which now has filled 94% of the available space. Our system administrators gave us a new...

by Builder in

How to Not apply cluster-bundle

Hi, i am installing two new indexers for test, as test indexers they have very small disks. As clustermember ...

by Path Finder in

Drop specific event

Hi I have a log that we are indexing, now we want to drop specific events from it by sending it to the nullQueue....

by Path Finder in

Line breaking two different time prefixes

Think I may have tried everything in props at this stage, Splunk does not seem to be paying much attention to anythin...

by Path Finder in

Can't index a .csv file?!?

Hey, I tried to index a .csv file several times and I can see the file in "Manager » Data inputs » Files & directori...

by Explorer in

How can I get date from filename and time from inside logs.

Hi Splunkers, How can I get date from filename and time from inside the logs. For example: I have a file name...

by Communicator in

How to send events to the nullQueue on indexer?

The strange thing is that I can send events to the nullQueue on my Local installation of Enterprise Splunk (6.2.2.5)....

by Explorer in

Blacklisting Account_Name=ftpadmin ??

I am trying to blacklist Windows service account named, ftpadmin from all servers. I tried: [WinEventLog://Securit...

by Explorer in

How to execute an external Python script to add fields to events for every event ingested by Splunk?

I have a Python script that queries an external system for reputation data based on a hash. What I would like to do i...

by Communicator in

How can I search total time indexing for source="xxx.log" and bandwidth speed of data transfer between site.

Hi everyone, Now I'm working splunk site to site. I have splunk indexer at HQ and splunk forwarder at branch. I...

by Explorer in

Getting Data In

Discussions

How can I debug a TCP feed on a heavy forwarder?

Is it better to have Universal Forwarders on each server, or collect logs first in one place, and then forward them to the indexers?

How to create an alert to trigger an email when a forwarder is stopped on a server?

How to filter out a Windows Event Code if the event from a user repeats over a period of time?

Sending rsyslog JSON format

Time format for identifying processing rate

On a Linux Splunk Server, how do I ingest Windows CIFS audit files

Monitor input not reading files ?

splunk-reskit-powershell 401

Can I call more than one transform from a props.conf stanza?

Getting additional disk space for a fast growing index. What's next?

How to Not apply cluster-bundle

Drop specific event

Line breaking two different time prefixes

Can't index a .csv file?!?

How can I get date from filename and time from inside logs.

How to send events to the nullQueue on indexer?

Blacklisting Account_Name=ftpadmin ??

How to execute an external Python script to add fields to events for every event ingested by Splunk?

How can I search total time indexing for source="xxx.log" and bandwidth speed of data transfer between site.

Using Splunk Universal Forwarder and scripted inpu...

why Splunk is not able to index all the data from ...

Monitor Server Transaction Log File (.ldf) on Splu...

Collect Perfmon counters data for ASP.NET & Paging...

Splunk eStreamer for FMC version 4.011 setup page...