Getting Data In

Thread Info

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Hello Everyone, We are trying to monitor log files on a server using the Splunk universal forwarder. The logs dire...

by Explorer in

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts an...

by Explorer in

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perf...

by Explorer in

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to ...

by New Member in

How to reduce the number of events in my indexes by filtering out Windows event IDs?

i want to reduce the number in my indexes by filtering out common Windows events such as 4688 event Id. I thought it ...

by New Member in

How do I debug perfmon:memory missing on a windows 2012 R2 host?

I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, a...

by SplunkTrust in

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Please excuse me for writing in Japanese. Splunk Freeで、分散サーチの機能を利用せずに、サーチヘッドとインデクサーを、それぞれ別のサーバーへ配置することは可能でしょうか？ ま...

by New Member in

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, ...

by New Member in

Where does Splunk keep metadata on when a log was indexed?

The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio...

by Explorer in

How can we delete a large index from an indexer cluster?

We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index fr...

by Ultra Champion in

How can we monitor all log files in current directory and sub-directories?

We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and als...

by Ultra Champion in

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Hello I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route lo...

by Communicator in

How to force Splunk use epoch time in the log file as index time

I have following logs from a customer device: 0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,s...

by Path Finder in

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

-health_checkin_date: 2016-10-30T09:45:28.824Z That is the line from a JSON event being sent into my Splunk insta...

by Explorer in

How to restart a universal forwarder remotely via deployment server?

We are facing a few issues whereour endpoints (clients) may have the Splunk service stopped. Can we force a restart o...

by Super Champion in

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

This works in the search bar |makemv delim="|", but not when I put that in the props.conf file.

by Path Finder in

Is it possible to add and correct fields for past events?

Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, befor...

by Explorer in

How to forward specific log files to specific indexes?

Hello, I'm trying to figure out the following setup: At the moment we have one rotating log file that should be fo...

by Explorer in

Is there an internal log in Splunk with the number of events that were sent to null queue?

Hi. We have recently been inadvertently sending some events to the null queue, due to a new data source that matc...

by Path Finder in

How to view the port status of Cisco switches and firewalls?

Hello guys, I got Cisco firewalls and switches. Now we enabled syslog but I want to see when a port status goes fr...

by Path Finder in

Has anyone seen duplicate windows server universal forwarders after update?

I have one forwarder that is showing duplicate on my Splunk server. I updated 3 forwarders to test them. It was from ...

by New Member in

Does Splunk count the incoming uncompressed data, or the compressed raw data against your license?

I learned that Splunk compresses the incoming data and creates some index files to point towards compressed raw data....

by Contributor in

How to monitor a structured XML log file without indexing duplicate events?

Hi forum, I'm trying to monitor an xml structured logfile like this: <Events> <Event>line1</Events> <Event>line...

by Builder in

universal forwarder deployment on a windows fails?

Hi users, I recently installed universal forwarder on a Windows machine, aiming to forward logs from there to the ...

by Communicator in

Route data to separate index based on CIDR

I have a requirement to route data that falls within two /24 CIDR ranges to a separate index, say 10.0.1.0/24 and 10....

by Communicator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

How to reduce the number of events in my indexes by filtering out Windows event IDs?

How do I debug perfmon:memory missing on a windows 2012 R2 host?

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

Where does Splunk keep metadata on when a log was indexed?

How can we delete a large index from an indexer cluster?

How can we monitor all log files in current directory and sub-directories?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

How to force Splunk use epoch time in the log file as index time

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

How to restart a universal forwarder remotely via deployment server?

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

Is it possible to add and correct fields for past events?

How to forward specific log files to specific indexes?

Is there an internal log in Splunk with the number of events that were sent to null queue?

How to view the port status of Cisco switches and firewalls?

Has anyone seen duplicate windows server universal forwarders after update?

Does Splunk count the incoming uncompressed data, or the compressed raw data against your license?

How to monitor a structured XML log file without indexing duplicate events?

universal forwarder deployment on a windows fails?

Route data to separate index based on CIDR

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions