Getting Data In

Community Activity

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead? I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much ti... by isha_rastogi Path Finder in Getting Data In 12-18-2016 0 2	0	2
What is the difference between TcpOutputProc and TcpOutputFd? SSL Question: What is the difference between TcpOutputProc and TcpOutputFd? I am getting an error message on my forw... by nmensah Explorer in Getting Data In 12-18-2016 0 1	0	1
Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf? I have set the sourcetype for access logs in inputs.conf + props.conf before, but on one host it is not recognizing t... by alange Explorer in Getting Data In 12-16-2016 0 3	0	3
Bug in Universal Forwarder? inputs.conf monitor and recursive = false Should it really be like this? I think it is a bug. In /var/log I have lots of files and dirs. I want to monitor the... by elof Path Finder in Getting Data In 12-16-2016 0 3	0	3
Can sourcetype control be applied in props.conf? Hopefully a simple question. I can see that in props.conf you can use source, [source::.../dads_logs/*.log], to cont... by rrussellstscied Explorer in Getting Data In 12-16-2016 0 3	0	3
How high can we safely set max_fd in limits.conf on the forwarder? We have large number of log files to ingest and the machine shows - $ ulimit -n 64000 How high can we set the max_... by ddrillic Ultra Champion in Getting Data In 12-16-2016 0 1	0	1
How to tell a Splunk Universal Forwarder to not to monitor its own log files? Hello Everyone, We are trying to monitor log files on a server using the Splunk universal forwarder. The logs direct... by VipulPathak Explorer in Getting Data In 12-15-2016 0 14	0	14
Is it possible to do a groupby operation on multiline Cisco Ironport before indexing? I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts an... by ananthkumar12 Explorer in Getting Data In 12-15-2016 0 4	0	4
How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters? I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perf... by 1500372 Explorer in Getting Data In 12-15-2016 0 4	0	4
Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1? Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to... by cbaiocchetti New Member in Getting Data In 12-15-2016 0 1	0	1
How to reduce the number of events in my indexes by filtering out Windows event IDs? i want to reduce the number in my indexes by filtering out common Windows events such as 4688 event Id. I thought it ... by andy_macn New Member in Getting Data In 12-15-2016 0 1	0	1
How do I debug perfmon:memory missing on a windows 2012 R2 host? I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, a... by cpetterborg SplunkTrust in Getting Data In 12-15-2016 0 3	0	3
分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい Please excuse me for writing in Japanese. Splunk Freeで、分散サーチの機能を利用せずに、サーチヘッドとインデクサーを、それぞれ別のサーバーへ配置することは可能でしょうか？また、... by amemiya New Member in Getting Data In 12-15-2016 0 2	0	2
Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder? I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, ... by akif_kayapinar New Member in Getting Data In 12-14-2016 0 2	0	2
Where does Splunk keep metadata on when a log was indexed? The logs I've got only have log generation timestamps in them, and the timestamp in Splunk reflects the log generatio... by kalik Explorer in Getting Data In 12-14-2016 0 2	0	2
How can we delete a large index from an indexer cluster? We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index fr... by ddrillic Ultra Champion in Getting Data In 12-14-2016 0 4	0	4
How can we monitor all log files in current directory and sub-directories? We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and als... by ddrillic Ultra Champion in Getting Data In 12-14-2016 0 2	0	2
How to configure inputs.conf to route logs from 2 IP addresses to a specific index? Hello I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs... by j666gak Communicator in Getting Data In 12-14-2016 2 5	2	5
How to force Splunk use epoch time in the log file as index time I have following logs from a customer device: 0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,sev... by jgcsco Path Finder in Getting Data In 12-14-2016 1 8	1	8
How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event? -health_checkin_date: 2016-10-30T09:45:28.824Z That is the line from a JSON event being sent into my Splunk instanc... by joshualarkins Explorer in Getting Data In 12-14-2016 1 3	1	3
How to restart a universal forwarder remotely via deployment server? We are facing a few issues whereour endpoints (clients) may have the Splunk service stopped. Can we force a restart o... by koshyk Super Champion in Getting Data In 12-14-2016 0 3	0	3
What is the syntax for \|makemv delim="\|" when writing it in the props.conf file? This works in the search bar \|makemv delim="\|", but not when I put that in the props.conf file. by Yepeza Path Finder in Getting Data In 12-14-2016 1 13	1	13
Is it possible to add and correct fields for past events? Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, before ... by dwoehr Explorer in Getting Data In 12-14-2016 0 1	0	1
How to forward specific log files to specific indexes? Hello, I'm trying to figure out the following setup: At the moment we have one rotating log file that should be forw... by dwoehr Explorer in Getting Data In 12-14-2016 0 4	0	4
Is there an internal log in Splunk with the number of events that were sent to null queue? Hi. We have recently been inadvertently sending some events to the null queue, due to a new data source that matche... by jhigginsmq Path Finder in Getting Data In 12-14-2016 0 5	0	5

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

Getting Data In

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

What is the difference between TcpOutputProc and TcpOutputFd?

Why is the default taking precedence over the sourcetype I've set in inputs.conf or props.conf?

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

Can sourcetype control be applied in props.conf?

How high can we safely set max_fd in limits.conf on the forwarder?

How to tell a Splunk Universal Forwarder to not to monitor its own log files?

Is it possible to do a groupby operation on multiline Cisco Ironport before indexing?

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

Is it appropriate to take VM snapshots prior to upgrading Splunk Deployment Server and Heavy Forwarder to 6.5.1?

How to reduce the number of events in my indexes by filtering out Windows event IDs?

How do I debug perfmon:memory missing on a windows 2012 R2 host?

分散サーチの機能を利用せずに、サーチヘッドとインデクサーを別のサーバーへ配置したい

Can we add additional parameters (IP and hostname) to the logs which are collected thorough a Windows universal forwarder?

Where does Splunk keep metadata on when a log was indexed?

How can we delete a large index from an indexer cluster?

How can we monitor all log files in current directory and sub-directories?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

How to force Splunk use epoch time in the log file as index time

How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?

How to restart a universal forwarder remotely via deployment server?

What is the syntax for |makemv delim="|" when writing it in the props.conf file?

Is it possible to add and correct fields for past events?

How to forward specific log files to specific indexes?

Is there an internal log in Splunk with the number of events that were sent to null queue?

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Transilience AI threat intel feed integration

I have question about Metrics

How to integrate threat armor with splunk?

How to integrate Google Cloud armor with splunk?

How to Integrate Iraje PAM with splunk? Is there a...

Getting Data In

Join the Conversation