Getting Data In

Community Activity

How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder? I want to send "wineventlog:security " logs to Heavy forwarder(KIWISERVER) and below are the configuration files that... by chanamoluk Explorer in Getting Data In 12-19-2016 0 5	0	5
How to troubleshoot why an indexer in a cluster is missing from the Monitoring Console? We have a four (4) node indexer cluster. Under the 'Distributed Environment \| Indexer Clustering', all four peers sho... by agehring4823 Explorer in Getting Data In 12-19-2016 1 1	1	1
How to troubleshoot the Universal Forwarder when it is not sending events to the indexer? We have a existing infrastructure of Splunk where events are passed from multiple Linux boxes to Splunk indexers. We... by sarthakb Explorer in Getting Data In 12-19-2016 0 6	0	6
Would a summary index be the best way to keep an index of all the outputs of a savedsearch? I have a saved search that is being run through my dashboard with a text input using the "$token$" operator. I would ... by _jgpm_ Communicator in Getting Data In 12-19-2016 0 2	0	2
Can I make a field which contains the number of the entry, as a substitute for timestamp? I would like to experiment with entries in which time is mentioned as 1,2,3, .... , n; where the nth entry is the lat... by akcyril New Member in Getting Data In 12-19-2016 0 1	0	1
How to resolve error "ERROR TcpInputProc - Error encountered for connection" on server? i am getting 2 different errors on my Splunk server - please see attached for errors, unsure what is wrong thanks fo... by rsingh Explorer in Getting Data In 12-19-2016 0 5	0	5
Why are no events showing on any indexers after using "Add Data" on the universal forwarder? Hello, I have 2 Indexers along with 1 search head. Both the indexers are added under distributed search peer. From a... by princemanto2580 Path Finder in Getting Data In 12-18-2016 0 2	0	2
How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead? I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much ti... by isha_rastogi Path Finder in Getting Data In 12-18-2016 0 2	0	2
What is the difference between TcpOutputProc and TcpOutputFd? SSL Question: What is the difference between TcpOutputProc and TcpOutputFd? I am getting an error message on my forw... by nmensah Explorer in Getting Data In 12-18-2016 0 1	0	1
Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf? I have set the sourcetype for access logs in inputs.conf + props.conf before, but on one host it is not recognizing t... by alange Explorer in Getting Data In 12-16-2016 0 3	0	3
Bug in Universal Forwarder? inputs.conf monitor and recursive = false Should it really be like this? I think it is a bug. In /var/log I have lots of files and dirs. I want to monitor the... by elof Path Finder in Getting Data In 12-16-2016 0 3	0	3
Can sourcetype control be applied in props.conf? Hopefully a simple question. I can see that in props.conf you can use source, [source::.../dads_logs/*.log], to cont... by rrussellstscied Explorer in Getting Data In 12-16-2016 0 3	0	3
How high can we safely set max_fd in limits.conf on the forwarder? We have large number of log files to ingest and the machine shows - $ ulimit -n 64000 How high can we set the max_... by ddrillic Ultra Champion in Getting Data In 12-16-2016 0 1	0	1
How to tell a Splunk Universal Forwarder to not to monitor its own log files? Hello Everyone, We are trying to monitor log files on a server using the Splunk universal forwarder. The logs direct... by VipulPathak Explorer in Getting Data In 12-15-2016 0 14	0	14
Is it possible to do a groupby operation on multiline Cisco Ironport before indexing? I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts an... by ananthkumar12 Explorer in Getting Data In 12-15-2016 0 4	0	4
How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters? I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perf... by 1500372 Explorer in Getting Data In 12-15-2016 0 4	0	4
Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1? Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to... by cbaiocchetti New Member in Getting Data In 12-15-2016 0 1	0	1
How to reduce the number of events in my indexes by filtering out Windows event IDs? i want to reduce the number in my indexes by filtering out common Windows events such as 4688 event Id. I thought it ... by andy_macn New Member in Getting Data In 12-15-2016 0 1	0	1
How do I debug perfmon:memory missing on a windows 2012 R2 host? I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, a... by cpetterborg SplunkTrust in Getting Data In 12-15-2016 0 3	0	3
分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい Please excuse me for writing in Japanese. Splunk Freeで、分散サーチの機能を利用せずに、サーチヘッドとインデクサーを、それぞれ別のサーバーへ配置することは可能でしょうか？また、... by amemiya New Member in Getting Data In 12-15-2016 0 2	0	2
Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder? I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, ... by akif_kayapinar New Member in Getting Data In 12-14-2016 0 2	0	2
Where does Splunk keep metadata on when a log was indexed? The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio... by kalik Explorer in Getting Data In 12-14-2016 0 2	0	2
How can we delete a large index from an indexer cluster? We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index fr... by ddrillic Ultra Champion in Getting Data In 12-14-2016 0 4	0	4
How can we monitor all log files in current directory and sub-directories? We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and als... by ddrillic Ultra Champion in Getting Data In 12-14-2016 0 2	0	2
How to configure inputs.conf to route logs from 2 IP addresses to a specific index? Hello I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs... by j666gak Communicator in Getting Data In 12-14-2016 2 5	2	5

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

Getting Data In

How to troubleshoot why my heavy forwarder is not receiving Windows event logs from the universal forwarder?

How to troubleshoot why an indexer in a cluster is missing from the Monitoring Console?

How to troubleshoot the Universal Forwarder when it is not sending events to the indexer?

Would a summary index be the best way to keep an index of all the outputs of a savedsearch?

Can I make a field which contains the number of the entry, as a substitute for timestamp?

How to resolve error "ERROR TcpInputProc - Error encountered for connection" on server?

Why are no events showing on any indexers after using "Add Data" on the universal forwarder?

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

What is the difference between TcpOutputProc and TcpOutputFd?

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Can sourcetype control be applied in props.conf?

How high can we safely set max_fd in limits.conf on the forwarder?

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

How to reduce the number of events in my indexes by filtering out Windows event IDs?

How do I debug perfmon:memory missing on a windows 2012 R2 host?

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

Where does Splunk keep metadata on when a log was indexed?

How can we delete a large index from an indexer cluster?

How can we monitor all log files in current directory and sub-directories?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SC4S postfilter not dropping Fortigate east-west t...

PCAP Data contains media and audio file, Is it pos...

TA_Guardium API Add-on for Splunk

Transilience AI threat intel feed integration

I have question about Metrics

Getting Data In

Join the Conversation