Getting Data In

Discussions

Thread Info

Why is the discard of specific events not working in props.conf and transforms.conf

I am forwarding data from Splunk Enterprise on one server to Splunk Enterprise on a second server. Data is getting in...

by Contributor in

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages. I am using ...

by New Member in

Why are universal forwarder internal logs not getting rotated due to permission issues (Access is denied) in Windows?

We have deployed universal forwarders on Windows and are running as "local system" (admin). This is installed in C:\P...

by Super Champion in

SEDCMD not being applied?

I'm trying to do a seemingly simple SEDCMD replace of passwords in logs, but nothing is getting applied. I have pushe...

by Path Finder in

index replication in custom index

Hello, i have created a new index DAP in cluster master and shared the configuration of this new indexes.conf with al...

by Path Finder in

vip and heavy forwarder setup for HEC

Can I use the same HEC token on all HF's which are behind a VIP and set up clients to send data to VIP ip? The purpos...

by Path Finder in

How I can delete data from splunk after indexed new file

Hi, I have a CSV file in my folder on pc that is updated every day. I want to use always the most up-to-date csv file...

by Path Finder in

INDEX_AND_FORWARD usage

I want to (index and) forward (to a syslog endpoint) some data that goes into a particular index on my indexer cluste...

by Path Finder in

Custom Filtering across multiple Logs

Hi Splunk community, For Log A, I would like to extract out all the values of a specific field that matches a spec...

by Explorer in

Splunk indexing data only after index was created.

Last week, when I finally figured out indexing and sourcetypes in Splunk, I mapped them to my data input which is mon...

by Path Finder in

Salesforce Streaming API

Anyone integrated Salesforce data using Streaming API?

by Splunk Employee in

Duplicate data because of file parts

Hi, I took 6 log files. The sum of events from all the log files is 10666. I added the log files into my forwar...

by Influencer in

maxHotSpanSecs not rolling hot buckets

I use "maxHotSpanSecs" to cut the size of each bucket received. Only join "maxHotSpanSecs = 2592000" (30d) in test of...

by New Member in

where to add my props.conf for new sourcetype - created using preview

I want to push out a props .conf file to monitor a file which resides on two machines with forwarders deployed. my...

by Path Finder in

How to add a forwarder manager server to a dev-testing stand-alone instance of splunk?

I have a stand-alone Dev instance of splunk running on Linux. It works great for testing. But now I have to do some t...

by Contributor in

Why is my timestamp not being recognized...

Hi, I have the following data coming in: 10009 SYSTEM 03/05/17 11:12:44 Info Message Partner MQCACTUSOUT, Sessi...

by Champion in

Calculate percentage increase/decrease of indexing volume compared to average indexing volume

I want to trigger an alert if there is 50% increase/decrease of today's indexing volume versus average indexing volum...

by Path Finder in

How to troubleshoot why a file in monitored folder is not being indexed in Splunk Light Free 6.3.0?

Hi, I’ve been using Splunk Light Free Version 6.3.0 for about a month on Mac OS X, and it’s been working well, mon...

by Explorer in

Route event data to different target groups issue

Hi Splunkers, here are my 3 configuration files transforms,props,outputs /// props.conf [host:firstClient] TRANSFO...

by New Member in

In my current batch stanza in inputs.conf, why is the file indexed twice?

My inputs.conf is as follow: [batch://C:\Splunk\2.txt] index = netiq move_policy = sinkhole sourcetype = shinsei_d...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why is the discard of specific events not working in props.conf and transforms.conf

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

Why are universal forwarder internal logs not getting rotated due to permission issues (Access is denied) in Windows?

SEDCMD not being applied?

index replication in custom index

vip and heavy forwarder setup for HEC

How I can delete data from splunk after indexed new file

INDEX_AND_FORWARD usage

Custom Filtering across multiple Logs

Splunk indexing data only after index was created.

Salesforce Streaming API

Duplicate data because of file parts

maxHotSpanSecs not rolling hot buckets

where to add my props.conf for new sourcetype - created using preview

How to add a forwarder manager server to a dev-testing stand-alone instance of splunk?

Why is my timestamp not being recognized...

Calculate percentage increase/decrease of indexing volume compared to average indexing volume

How to troubleshoot why a file in monitored folder is not being indexed in Splunk Light Free 6.3.0?

Route event data to different target groups issue

In my current batch stanza in inputs.conf, why is the file indexed twice?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023

source/host/sourcetype fields dropped through HEC

Ingesting Windows Service Status Data

How do I get Windows server cipher data into Splun...

Splunk Add on for Microsoft Azure Secure Score- Ho...

Receiving error that “could not load lookup xxx” w...