Getting Data In

Ask a Question

Discussions

Thread Info

What are the minimum hardware requirements for Splunk Universal Forwarder in 32-bit OS?

Minimum requirements for Splunk Universal Forwarder in 32-bit OS If 2x six-core, 2+ GHz CPU, 12GB RAM, RAID 0 or 1...

by Observer in

Is it possible to use SSH in order to run a search?

is it possible to ssh Splunk (that is running on Windows machine) in order to run searches ?

by New Member in

Is search head clustering now supported on Windows?

I understand that support for search head clustering was supposed to be added with version 6.3. Is that now supported...

by Engager in

How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

I want to send "wineventlog:security " logs to Heavy forwarder(KIWISERVER) and below are the configuration files that...

by Explorer in

How to troubleshoot why an indexer in a cluster is missing from the Monitoring Console?

We have a four (4) node indexer cluster. Under the 'Distributed Environment | Indexer Clustering', all four peers sho...

by Explorer in

How to troubleshoot the Universal Forwarder when it is not sending events to the indexer?

We have a existing infrastructure of Splunk where events are passed from multiple Linux boxes to Splunk indexers. ...

by Explorer in

Would a summary index be the best way to keep an index of all the outputs of a savedsearch?

I have a saved search that is being run through my dashboard with a text input using the "$token$" operator. I would ...

by Communicator in

Can I make a field which contains the number of the entry, as a substitute for timestamp?

I would like to experiment with entries in which time is mentioned as 1,2,3, .... , n; where the nth entry is the lat...

by New Member in

How to resolve error "ERROR TcpInputProc - Error encountered for connection" on server?

i am getting 2 different errors on my Splunk server - please see attached for errors, unsure what is wrong thanks ...

by Explorer in

Why are no events showing on any indexers after using "Add Data" on the universal forwarder?

Hello, I have 2 Indexers along with 1 search head. Both the indexers are added under distributed search peer. From...

by Path Finder in

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much ti...

by Path Finder in

What is the difference between TcpOutputProc and TcpOutputFd?

SSL Question: What is the difference between TcpOutputProc and TcpOutputFd? I am getting an error message on my fo...

by Explorer in

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

I have set the sourcetype for access logs in inputs.conf + props.conf before, but on one host it is not recognizing t...

by Explorer in

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Should it really be like this? I think it is a bug. In /var/log I have lots of files and dirs. I want to monitor t...

by Path Finder in

Can sourcetype control be applied in props.conf?

Hopefully a simple question. I can see that in props.conf you can use source, [source::.../dads_logs/*.log], to co...

by Explorer in

How high can we safely set max_fd in limits.conf on the forwarder?

We have large number of log files to ingest and the machine shows - $ ulimit -n 64000 How high can we set the ...

by Ultra Champion in

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Hello Everyone, We are trying to monitor log files on a server using the Splunk universal forwarder. The logs dire...

by Explorer in

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts an...

by Explorer in

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perf...

by Explorer in

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to ...

by New Member in

How to reduce the number of events in my indexes by filtering out Windows event IDs?

i want to reduce the number in my indexes by filtering out common Windows events such as 4688 event Id. I thought it ...

by New Member in

How do I debug perfmon:memory missing on a windows 2012 R2 host?

I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, a...

by SplunkTrust in

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Please excuse me for writing in Japanese. Splunk Freeで、分散サーチの機能を利用せずに、サーチヘッドとインデクサーを、それぞれ別のサーバーへ配置することは可能でしょうか？ ま...

by New Member in

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, ...

by New Member in

Where does Splunk keep metadata on when a log was indexed?

The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

What are the minimum hardware requirements for Splunk Universal Forwarder in 32-bit OS?

Is it possible to use SSH in order to run a search?

Is search head clustering now supported on Windows?

How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

How to troubleshoot why an indexer in a cluster is missing from the Monitoring Console?

How to troubleshoot the Universal Forwarder when it is not sending events to the indexer?

Would a summary index be the best way to keep an index of all the outputs of a savedsearch?

Can I make a field which contains the number of the entry, as a substitute for timestamp?

How to resolve error "ERROR TcpInputProc - Error encountered for connection" on server?

Why are no events showing on any indexers after using "Add Data" on the universal forwarder?

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

What is the difference between TcpOutputProc and TcpOutputFd?

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Can sourcetype control be applied in props.conf?

How high can we safely set max_fd in limits.conf on the forwarder?

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

How to reduce the number of events in my indexes by filtering out Windows event IDs?

How do I debug perfmon:memory missing on a windows 2012 R2 host?

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

Where does Splunk keep metadata on when a log was indexed?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

DNS logs - INFO [:12345] Script exceeded maximum r...

Onboard Unknown Source to SC4S

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Getting Data In

Are you a member of the Splunk Community?

Discussions