Getting Data In

Ask a Question

Discussions

Thread Info

Best way to consolidate System directory configs to existing configs at bundle level?

Hi Folks; Hopefully this isn't a strange question, but I had a question regarding the consolidation of configurati...

by Builder in

List of valid [perfmon://] stanzas for inputs.conf

Hi, I'm trying to configure performance monitoring inputs on a Windows universal forwarder, to send to a Linux ind...

by Path Finder in

How can we systematically index many large directories with log files?

We have a case in which the client has directories, each containing a couple of thousands of log files, like - 201...

by Ultra Champion in

How to make a line chart that shows the up time of a forwarder?

Hi, We have a number of forwarders in our Splunk Enterprise. And I've been asked to chart the "uptime" of the forw...

by New Member in

Why did upgrading my Universal Forwarder result in a license violation?

I am monitoring the directory where IIS logs are stored. The universal forwarder is sending the information on a dedi...

by Path Finder in

How do I route data based on the Index field

Assuming I have a forwarder with inputs.conf: [monitor:///var/log/notcritical] index=datacritical [monitor:///var...

by Splunk Employee in

Why is Splunk not capturing new content in a CSV file input and indexing it?

Hi, Splunk 6.5.0 I have the scenario that I have to import every hour a csv (File A) file from a system which h...

by Path Finder in

How is the Index Size greater than the uncompressed raw data size?

Uploaded File size: 717MB Current Index size: 811MB ( settings -> Data -> Indexes ) Index Size: 0.79 GB ( Monitoring...

by Explorer in

How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Hello there, I'm currently trying to whilelist incoming Windows events by EventCode, but it doesn't actually filt...

by Engager in

"did not return events in descending time order"の解消方法

以下のような前段のコマンドから結果を読み込み、自作の関数の結果を新しいカラムとして差し込んで次のコマンドへ引き渡す外部スクリプトを実行すると、以下のようなエラーになります。エラーにならない場合もあります。 commands.confの...

by Explorer in

How to edit props.conf to retrieve time from my data?

i have a data like this: capturedTime = "12/6/16, 9:08 PM"; indymeDepartmentNumber = 250; lastCacheTime = ...

by Communicator in

How do I get the learned app to set owner to a valid user?

The learned app is creating objects owned by "nobody". This creates logged error messages about ERROR Authenticat...

by New Member in

How to index the same set of logs and route them to 2 different indexes, but process transforms for one index to filter out sensitive data?

Hello fellow-splunkers! Problem Statement - My logs have INFO, WARNING and DEBUG log entries. The DEBUG log entrie...

by Explorer in

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

Hello Splunkers - Using Splunk Web, can I search/index a specific host name or IP address that returns the “Identifie...

by New Member in

How to edit a rex search in order to find the average duration time between two fields?

Hi, I'm currently have issues parsing the duration I've created to find the average time between 2 fields based on...

by Path Finder in

Upgraded universal forwarder from 5.2 to 6.5.0. Is it typical to receive a "parameter=tstatsHomePath not configured" error when upgrading and how to fix?

I upgraded my Windows universal forwarder from 5.2 to 6.5.0. All I did was grab the installer from download and insta...

by Motivator in

How to troubleshoot configuration mismatch in inputs.conf and outputs.conf?

Background, I am not an engineer and have little engineering experience. In setting up my instance, I have a question...

by Path Finder in

Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

Hi All I have this problem in Splunk : in my log i have time setup as : 12.07.2016 17:20:30,474 but Splunk is ...

by Explorer in

How to filter out local firewall events I don’t want Splunk to index?

A lot of the Windows Security auditing events we see in Splunk come from the local firewall that we're not interested...

by Path Finder in

How to edit inputs.conf to restrict data collected from a monitored TCP input to specific hosts?

I want to restrict data collected from a monitored TCP port to a list of hosts. This is the stanza that I used but it...

by Explorer in

Measuring thruput of heavy forwarders in a dashboard. Would using "metrics.log group=thruput name=thruput" add both input and output thruput to the final result?

Hi, Quick question regarding metrics.log and a heavy forwarder (HF). I'm using a dashboard to measure the thruput ...

by Builder in

How to edit my regular expression to include a space in order for Splunk to extract data?

Hi, I wonder whether someone could help me please. I'm trying to create a Splunk regular expression to extract the...

by Motivator in

Passing a variable from search query to title in simple xml

Hi, I have created a dashboard in simple xml. The alerts for every day is recorded in a lookup is shown in the dashbo...

by Explorer in

Why is Universal Forwarder unable to process props.conf configuration for structured data?

I have a customer that wants to index psv files with headers. If I omit the props.conf file on the Universal Forwarde...

by Path Finder in

How to execute TRANSFORMS by source name in props.conf?

Hi, Given the below: inputs.conf [monitor://\\MyServer\MyFolder] disabled = false host = MyServer index = MyIn...

by Contributor in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Best way to consolidate System directory configs to existing configs at bundle level?

List of valid [perfmon://] stanzas for inputs.conf

How can we systematically index many large directories with log files?

How to make a line chart that shows the up time of a forwarder?

Why did upgrading my Universal Forwarder result in a license violation?

How do I route data based on the Index field

Why is Splunk not capturing new content in a CSV file input and indexing it?

How is the Index Size greater than the uncompressed raw data size?

How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

"did not return events in descending time order"の解消方法

How to edit props.conf to retrieve time from my data?

How do I get the learned app to set owner to a valid user?

How to index the same set of logs and route them to 2 different indexes, but process transforms for one index to filter out sensitive data?

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

How to edit a rex search in order to find the average duration time between two fields?

Upgraded universal forwarder from 5.2 to 6.5.0. Is it typical to receive a "parameter=tstatsHomePath not configured" error when upgrading and how to fix?

How to troubleshoot configuration mismatch in inputs.conf and outputs.conf?

Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

How to filter out local firewall events I don’t want Splunk to index?

How to edit inputs.conf to restrict data collected from a monitored TCP input to specific hosts?

Measuring thruput of heavy forwarders in a dashboard. Would using "metrics.log group=thruput name=thruput" add both input and output thruput to the final result?

How to edit my regular expression to include a space in order for Splunk to extract data?

Passing a variable from search query to title in simple xml

Why is Universal Forwarder unable to process props.conf configuration for structured data?

How to execute TRANSFORMS by source name in props.conf?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025

Getting Data In

Are you a member of the Splunk Community?

Discussions