Getting Data In

Thread Info

How to edit my props.conf to make sure CSV file data gets indexed?

Hi, I am using below props file for CSV but data is not getting indexed or sent into Splunk. Need help in updating pr...

by Explorer in

How to build a regular expression in order to mask password text in props.conf?

I have the following string in the events and I would like to mask the password text using sedcmd. Content={"Login...

by Explorer in

What is the procedure to monitor changes to file content?

Hi, What is the procedure to monitor changes to file content? As per knowledge we can add some parameters to props...

by New Member in

Why is my Splunk Forwarder showing up as "$COMPUTERNAME"?

I used the variable "$COMPUTERNAME" in my app's inputs.conf file. For all the PCs that got it, it's reporting their c...

by Builder in

How to update props.conf to extract timestamp from my sample data?

Please help me with props.conf file i have sample data below i want to extract time stamp from the below sample data....

by Communicator in

Does INDEXED_EXTRACTIONS work for Active Directory

Hi, I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported...

by Champion in

How to use action.email.reportFileName to remove the automatic timestamp from the csv output filename attached to emails?

I'm looking for an option to remove the automatic timestamp from the csv output filename attached to emails. Accor...

by SplunkTrust in

How to edit my props.conf to take timestamp from an updated field?

Hey everyone. I read all nearest posts about timestamp and still can't make it work. So, i have events like thi...

by Communicator in

Adding Multiple time stamp fields in props file sourcetype stanza

I have a source file with multiple dates and timestamp as separate fields. I want to use last_changed and last_change...

by Communicator in

Install both Universal Forwarder and Splunk Enterprise on on same Windows server

My Splunk infrastructure (search head, indexer, etc.) is deployed on Windows servers. As for any other Windows ser...

by Communicator in

Why is our third party logstash only receiving half of logs forwarded from Splunk?

Hi Team, We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks lik...

by Path Finder in

DEBUG AggregatorMiningProcessor - Failed to parse timestamp getting this message in splunkd.log

Hi All, I could this message into my Heavy Forwarder instance (Splunkd.log) I am not sure what is the problem why I a...

by Motivator in

How to handle app folder permissions when deploying apps from a *Nix Deployment Server to Windows deployment clients?

I am trying to deploy apps from a *nix Deployment Server to a Windows client. When the app folders are pulled down, t...

by New Member in

In order to reduce license usage, can I remove the time from _raw and keep _time intact?

Hello, In order to reduce Splunk Licence, I am considering to remove the timestamp from _raw but only after the ti...

by Contributor in

Forward data to Indexer cluster

I am in the middle of understanding an already built environment and trying to figure out how a splunk universal forw...

by Communicator in

I have started the conditional logging on Splunk but still i'm getting the logs?

I have configured transforms.conf and props.conf on below path /opt/splunk/etc/apps/search/local transforms.con...

by Path Finder in

How to change the timezone setting from summer to winter time?

Hi everyone ! Recently in my city, we've changed from summer to winter time and, of course, the server where Splu...

by New Member in

How do I get splunk to use the timestamp of my data

Hi, I have events that look like this 192.168.10.124 - - [02/Nov/2016:08:59:59 +0900] "GET /ICHealthCheck/serve...

by Motivator in

How to combine year, month, day from a filename and contain the exact time of the event in nanoseconds?

I need to ingest a file that contains the year, month, and day in the filename, while also containing the exact time ...

by Motivator in

Is it possible to monitor if someone plugs in a network cable in the network?

Hello, Is it possible to monitor if someone is plugging a network cable in the network?

by Path Finder in

Any idea why a particular sourcetype would stop showing data after 10/31/16 23:59:59?

Here are some pieces of info that may be relevant: The sourcetype in question shows no data after midnight on Octo...

by Engager in

After upgrading to 6.5.0 on Windows, I receive error 1607 when restarting splunkd - how to fix?

Dear all, I tried to upgrade Splunk from 6.1.1 to 6.5 but I'm having some issues. The first time, there is an e...

by Explorer in

How to get Linux OS logs off a Splunk server, where Splunk is started as a non root account, to index in an indexer cluster?

I have a Splunk indexer cluster that is using a service account (non-root) to start Splunk. How do I get the OS logs,...

by Builder in

Is there a character limit for sourcetypes?

Hi everyone, I have doubts about character limits to sourcetype. I'll need to get a sourcetype name using transfor...

by Explorer in

How to resolve data not flowing through forwarders in order to generate scheduled reports?

We have a daily scheduled report which is to be generated at 12pm for every day, the issue we are facing is the data ...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to edit my props.conf to make sure CSV file data gets indexed?

How to build a regular expression in order to mask password text in props.conf?

What is the procedure to monitor changes to file content?

Why is my Splunk Forwarder showing up as "$COMPUTERNAME"?

How to update props.conf to extract timestamp from my sample data?

Does INDEXED_EXTRACTIONS work for Active Directory

How to use action.email.reportFileName to remove the automatic timestamp from the csv output filename attached to emails?

How to edit my props.conf to take timestamp from an updated field?

Adding Multiple time stamp fields in props file sourcetype stanza

Install both Universal Forwarder and Splunk Enterprise on on same Windows server

Why is our third party logstash only receiving half of logs forwarded from Splunk?

DEBUG AggregatorMiningProcessor - Failed to parse timestamp getting this message in splunkd.log

How to handle app folder permissions when deploying apps from a *Nix Deployment Server to Windows deployment clients?

In order to reduce license usage, can I remove the time from _raw and keep _time intact?

Forward data to Indexer cluster

I have started the conditional logging on Splunk but still i'm getting the logs?

How to change the timezone setting from summer to winter time?

How do I get splunk to use the timestamp of my data

How to combine year, month, day from a filename and contain the exact time of the event in nanoseconds?

Is it possible to monitor if someone plugs in a network cable in the network?

Any idea why a particular sourcetype would stop showing data after 10/31/16 23:59:59?

After upgrading to 6.5.0 on Windows, I receive error 1607 when restarting splunkd - how to fix?

How to get Linux OS logs off a Splunk server, where Splunk is started as a non root account, to index in an indexer cluster?

Is there a character limit for sourcetypes?

How to resolve data not flowing through forwarders in order to generate scheduled reports?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions