Getting Data In

Thread Info

Migrating Arcsight to Splunk

Hi Guys, I am new Splunk. Earlier, we were using the Arcsight for the SOC operation. Now, we are migrating to Splu...

by New Member in

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

Hi, Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

by Champion in

How to monitor two files with different names in the same directory, and index all duplicate events on my receiver?

I have two different file names in the same directory on a forwarder. The problem is, the data for both files are the...

by New Member in

After deploying universal forwarders on Citrix hosts via master image, how to prevent all UF's from reporting the same hostname?

We have a master image controlling 10 Citrix XenApp hosts, We have deployed Splunk Universal Forwarders via master im...

by Explorer in

how to pass "fields" parameter in services/collector rest api?

Hello Experts, I am working on HEC rest api's /services/collector. Passing fields as given in the examples but gettin...

by New Member in

best practise: remote log servers

hi; we have 7 remote log servers which we are sending all of our logs from approximately 400 different servers(apa...

by Path Finder in

How to set continuous monitoring of an input file so that it gets indexed as the file gets updated?

Hi, I have Splunk installed on my local Windows machine. From Splunk Web url, am doing below steps Settings -> Ad...

by Communicator in

How to write props.conf to extract an epoch time as timestamp from events?

I have a epoch time in my events: timestamp=1478787869121. How to write props.conf to extract this timestamp?

by Contributor in

Struggling with inputs.conf and conflicting rules

Hi, I'm struggling with an issue involving my old nemesis, inputs.conf rules :-). In this case, we have a catch-al...

by Builder in

How to send data to indexer and pulling config data from deployment server using forwarder ports?

We will be installing the forwarder onto our domain controllers in DMZ. Question, can we hardwire a port on the DC...

by Contributor in

Is there a way to use an external list file to whitelist or blacklist hosts in serverclass.conf?

Is there a way to use external lists with whitelist filtering? For example if I had systems A and B with several host...

by Explorer in

Why is my timestamp date format changing from dd/mm/yyyy to mm/dd/yyyy?

Hi, I'm using Splunk Enterprise 6.5.0 with Universal forwarders 6.5.0 for some years now to index log files from ....

by Engager in

How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

Hello, I am trying to onboard an ActiveRoles server, however it doesn't seem that I'm configuring my inputs.conf ...

by Path Finder in

How to add new fields in indexing time depending on condition

Hello All, Is this possible in Splunk where we can add new fields and there value will depends on condition? in tr...

by Communicator in

Will Splunk ingest a TAR file with a .diag extension?

Hi, I know Splunk will injest a TAR (and other types) file, my question is what if the file extension is NOT *.tar...

by Motivator in

Retirement policy of fishbucket on the universal forwarder

Hello, I want to know a retirement policy of the fishbucket on the universal forwarder for a disk sizing. The d...

by Path Finder in

assigning read permission for the log file on Linux

We need to monitor a log file on linux with the splunk forwarder(splunk user account which is local). Log file is own...

by Path Finder in

running permissions for splunk user of forwarder on linux and solaris

Hi I have some universal forwaders installed on linux (suse) and solaris. I have a user "splunk" to log to thos...

by Communicator in

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

I'm trying to install Splunk Universal Forwarder on Red Hat OS. I am getting stuck at this step. Before this command,...

by New Member in

Will splunk reindex the same file with new data if the file was overwritten?

Hi, What will splunk behave like in the two following cases: 1) File A.log, having the lines: 1 2 3 Someone overwr...

by Explorer in

tcp_routing route every thing?

i am test '_tcp_routing' in my virtual machines, before doing that on online system. simply i add: [monitor://afile] ...

by Contributor in

How to find lost logs from universal forwarder?

Hi, I've a universal forwarder on a Linux machine that forwards Security Onion logs to my Splunk instance. Logs...

by Path Finder in

split url and perform a count on it.

You'll have to pardon the newbie question. I'm sure this is crazy easy, but I'm having the worst time figuring it out...

by Engager in

How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?

One of the new features in Splunk 6.0+ is the capability of a forwarder assigning a timezone to an event in the situa...

by SplunkTrust in

How to edit props.conf so Splunk will recognize a month's time format when the month is in all caps?

Seeking help with TIME_FORMAT in props.conf. I'm trying to get Splunk to recognize a time format in the form of "...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Migrating Arcsight to Splunk

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

How to monitor two files with different names in the same directory, and index all duplicate events on my receiver?

After deploying universal forwarders on Citrix hosts via master image, how to prevent all UF's from reporting the same hostname?

how to pass "fields" parameter in services/collector rest api?

best practise: remote log servers

How to set continuous monitoring of an input file so that it gets indexed as the file gets updated?

How to write props.conf to extract an epoch time as timestamp from events?

Struggling with inputs.conf and conflicting rules

How to send data to indexer and pulling config data from deployment server using forwarder ports?

Is there a way to use an external list file to whitelist or blacklist hosts in serverclass.conf?

Why is my timestamp date format changing from dd/mm/yyyy to mm/dd/yyyy?

How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

How to add new fields in indexing time depending on condition

Will Splunk ingest a TAR file with a .diag extension?

Retirement policy of fishbucket on the universal forwarder

assigning read permission for the log file on Linux

running permissions for splunk user of forwarder on linux and solaris

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

Will splunk reindex the same file with new data if the file was overwritten?

tcp_routing route every thing?

How to find lost logs from universal forwarder?

split url and perform a count on it.

How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?

How to edit props.conf so Splunk will recognize a month's time format when the month is in all caps?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Extract fields from RFC5424 syslog with nested jso...

Splunk Nutanix TA and Splunk Enterprise 9.3.4

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions