Getting Data In

Discussions

Thread Info

How to remove characters in my json raw data so it can be indexed in son formate?

{"ts":"11 03 2016 06:03:56.390","th":"sample-product","user":"apple","device":"iphone","errorCode":"","level":"INFO",...

by Path Finder in

Why are audittrail and splunkd sourcetypes eating up 1/5th of my allowed indexing?

So I was confused as to why the small amount I was indexing from my event logs every day was getting me so close to m...

by Path Finder in

When I add data in Splunk, why does "Preview data before indexing" result in error "The read operation timed out"?

HI, Since yesterday, when I add data into Splunk and choose "Preview data before indexing" this error message app...

by New Member in

How to only index events that contain specific fields?

Hello, all. I know that my question's not a unique, but I want to ask it  I have a netflow text log on a server w...

by Communicator in

TCP:9514 logs doesn't show in Splunk

Hi Team, I have configured a Cisco router to send syslogs to Splunk over TCP port 9514. But that doesn't show up i...

by New Member in

How to pick your local domain controller for event log SID translation?

Hi, We recently deployed the following config to 500 Windows Universal Forwarders: [WinEventLog://Security] dis...

by SplunkTrust in

How to troubleshoot why my scripted input on Solaris is not working?

All, Not really a SunOS guy, so might be missing something fundamental. I wrote the script I need, and it runs fi...

by Builder in

How to add parallelIngestionPipelines to server.conf in an indexer cluster?

Hi All, We have an indexer cluster and cluster master. we need to add the parameter below in the indexer cluster s...

by Contributor in

How to remove inner double quotes from json data??

Hello i am trying to remove inner double quotes from json data here is my sample data: {"msg": "the message...

by Path Finder in

Whats the best way to blacklist a Windows event code?

I have over 300 Universal forwarders and I'm getting several eventcode=5156 events errors. Is there a way to blacklis...

by Path Finder in

Splunk offline command and bucket replication

Reading through the "offline" documentation & "maintenance" mode documentation, I'm slighly confused, if we need to d...

by Super Champion in

Why is the Distributed Management Console unable to find forwarders?

I configured Forwarder Monitoring Setup of DMC function for monitoring status of forwarders, but the Distributed Mana...

by Explorer in

How to edit props.conf to line break a single line event into multiple lines?

I have a single line event as shown. I have to break it to multiple lines starting at {IBP_LKL . May I know what sett...

by Contributor in

Windows Server 2008R2 Splunk server not receiving Windows Event Logs from a Windows 7 PC with Universal Forwarder installed

I initially tested the Splunk Server on a Windows 7 machine and installed the Universal Forwarder on another WIndows ...

by Engager in

Getting Data In

Discussions

How to remove characters in my json raw data so it can be indexed in son formate?

Why are audittrail and splunkd sourcetypes eating up 1/5th of my allowed indexing?

When I add data in Splunk, why does "Preview data before indexing" result in error "The read operation timed out"?

How to only index events that contain specific fields?

TCP:9514 logs doesn't show in Splunk

How to pick your local domain controller for event log SID translation?

How to troubleshoot why my scripted input on Solaris is not working?

How to add parallelIngestionPipelines to server.conf in an indexer cluster?

How to remove inner double quotes from json data??

Whats the best way to blacklist a Windows event code?

Splunk offline command and bucket replication

Why is the Distributed Management Console unable to find forwarders?

How to edit props.conf to line break a single line event into multiple lines?

Windows Server 2008R2 Splunk server not receiving Windows Event Logs from a Windows 7 PC with Universal Forwarder installed

Can a custom app send data to the indexer via memory?

Accidentally uploaded the same license on indexers and master node. How to resolve a "Duplicated license situation"?

Considerations for adjusting autoLBFrequency in outputs.conf

Why are my nearly identically-named log files not being indexed by Splunk?

Whats the best way to migrate /db from one drive to another?

What is the user-seed.conf file?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Powershell script not running always on schedule -...

Should I remove /datamodel_summary on local drive ...

Archiving Best Practices for a Clustered Environme...

SignatureDoesNotMatch

Routing Metric events to null queue

Getting Data In

Discussions

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>