Getting Data In

Discussions

Thread Info

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much ti...

by Path Finder in

What is the difference between TcpOutputProc and TcpOutputFd?

SSL Question: What is the difference between TcpOutputProc and TcpOutputFd? I am getting an error message on my fo...

by Explorer in

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

I have set the sourcetype for access logs in inputs.conf + props.conf before, but on one host it is not recognizing t...

by Explorer in

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Should it really be like this? I think it is a bug. In /var/log I have lots of files and dirs. I want to monitor t...

by Path Finder in

Can sourcetype control be applied in props.conf?

Hopefully a simple question. I can see that in props.conf you can use source, [source::.../dads_logs/*.log], to co...

by Explorer in

How high can we safely set max_fd in limits.conf on the forwarder?

We have large number of log files to ingest and the machine shows - $ ulimit -n 64000 How high can we set the ...

by Ultra Champion in

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Hello Everyone, We are trying to monitor log files on a server using the Splunk universal forwarder. The logs dire...

by Explorer in

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts an...

by Explorer in

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perf...

by Explorer in

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to ...

by New Member in

How to reduce the number of events in my indexes by filtering out Windows event IDs?

i want to reduce the number in my indexes by filtering out common Windows events such as 4688 event Id. I thought it ...

by New Member in

How do I debug perfmon:memory missing on a windows 2012 R2 host?

I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, a...

by SplunkTrust in

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Please excuse me for writing in Japanese. Splunk Freeで、分散サーチの機能を利用せずに、サーチヘッドとインデクサーを、それぞれ別のサーバーへ配置することは可能でしょうか？ ま...

by New Member in

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, ...

by New Member in

Where does Splunk keep metadata on when a log was indexed?

The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio...

by Explorer in

How can we delete a large index from an indexer cluster?

We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index fr...

by Ultra Champion in

How can we monitor all log files in current directory and sub-directories?

We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and als...

by Ultra Champion in

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Hello I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route lo...

by Communicator in

How to force Splunk use epoch time in the log file as index time

I have following logs from a customer device: 0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,s...

by Path Finder in

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

-health_checkin_date: 2016-10-30T09:45:28.824Z That is the line from a JSON event being sent into my Splunk insta...

by Explorer in

How to restart a universal forwarder remotely via deployment server?

We are facing a few issues whereour endpoints (clients) may have the Splunk service stopped. Can we force a restart o...

by Super Champion in

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

This works in the search bar |makemv delim="|", but not when I put that in the props.conf file.

by Path Finder in

Is it possible to add and correct fields for past events?

Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, befor...

by Explorer in

How to forward specific log files to specific indexes?

Hello, I'm trying to figure out the following setup: At the moment we have one rotating log file that should be fo...

by Explorer in

Is there an internal log in Splunk with the number of events that were sent to null queue?

Hi. We have recently been inadvertently sending some events to the null queue, due to a new data source that matc...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

What is the difference between TcpOutputProc and TcpOutputFd?

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Can sourcetype control be applied in props.conf?

How high can we safely set max_fd in limits.conf on the forwarder?

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

How to reduce the number of events in my indexes by filtering out Windows event IDs?

How do I debug perfmon:memory missing on a windows 2012 R2 host?

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

Where does Splunk keep metadata on when a log was indexed?

How can we delete a large index from an indexer cluster?

How can we monitor all log files in current directory and sub-directories?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

How to force Splunk use epoch time in the log file as index time

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

How to restart a universal forwarder remotely via deployment server?

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

Is it possible to add and correct fields for past events?

How to forward specific log files to specific indexes?

Is there an internal log in Splunk with the number of events that were sent to null queue?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Re-ingest Windows logs across enterprise

SC4S Syslog server update fails during download wi...

Event break multiline PowerShell Transcript Log

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Getting Data In

Are you a member of the Splunk Community?

Discussions