Getting Data In

Discussions

Thread Info

How much license value is utilized while indexing a file of 100Gb once it is in compressed format in indexer?

When a log file is brought inside the Splunk indexer after input phase it is compressed to almost 10% of its value. S...

by Path Finder in

event shows repeatedly in splunkd.log

Hoping someone can help me out here: I have a system with a heavy forwarder installed (v.4.1.6) that shows the fol...

by Contributor in

What happens to the data if the indexer in an indexer cluster goes down?

I have 12 Indexers (6 each/site) in a multi cluster environment. Data is replicated to the other site with RF =2 and ...

by Explorer in

Size limit for an event?

Hi! Is there a size limit for how big an event can be before it's split into two? I'm trying to index p4 data, and...

by Splunk Employee in

What is the preferred way to migrate Splunk indexes onto new servers?

Hi All - We have a bunch of Splunk indexes in place. Our application is going to migrate to a new set of servers. ...

by Explorer in

Forwarding of data dies

Have about 1000 UFs that not getting data that is searchable They are throwing the error: 10-05-2016 14:54:05.162 +00...

by Builder in

How do I monitor Desired State Config event logs?

I'm trying to monitor the Desired State Configuration event logs on some Windows servers. I cannot seem to get the mo...

by Path Finder in

Time stamp field using transforms.conf

HI All, Am have CSV which is semicolon as delimiter and am using Props and transpose to extract the fields. But am...

by Contributor in

Setting up props.conf at the heavy forwarders

I have an app to which the basic inputs.conf were set and the app was forwarding logs to the indexers without any iss...

by Builder in

If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

If I have a custom sourcetype with fields delimited by ,, the first field in the data is what I want to extract as th...

by Path Finder in

Is it safe to modify maxTotalDataSizeMB in a clustered environment (indexes.conf)?

Hello, maxTotalDataSizeMB of one index is too large, is it possible to reduce it (above current size of course), w...

by Motivator in

What is the execution order for EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in props.conf?

Hello all, Anyone would have an idea of the execution order of EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in the prop...

by Engager in

Events from a log were not breaking properly so I edited props.conf to fix the issue, but is it possible to reindex the old data to ensure proper event breaking?

I have ingested the data from a log file but the events were not breaking properly. So I edited the props.conf file t...

by Contributor in

Single forwarder to multiple indexers load balancing

Hi everyone, Implementing Splunk for the first time in an enterprise environment, I read a lot of documentation ab...

by Engager in

What does this error mean from the source var/log/authlog?

Does anyone have seen this error while trying to forward some data to the indexer. Source of the error :- var/log...

by Builder in

Problem with Indexer Discovery: Receiving "ERROR IndexerDiscoveryHeartbeatThread - failed heartbeart" when attempting to add a new forwarder

Hi, We have index clustering working fine. We have several heavy forwarders configured successfully with indexer ...

by Contributor in

After removing a monitor on one log file from all my Splunk forwarders, why do I still see search results for that log file?

I removed a monitor on one log file from all the Splunk forwarders in the inputs.conf file and restarted Splunk forwa...

by New Member in

Help with date Regex

The find folks at Fortigate have chosen an "unusual" log format for their URL logs. Pretty simple except for the fact...

by Path Finder in

Help me parse a date/time field that is in HEX

One of my sourcetypes contains a hex date/time field which looks like this: 2E09050F3132 The format of this is...

by Path Finder in

Is it possible for Splunk to see the performance, transactions, availability, etc. from a Sybase DB on AIX 7?

I was wondering if Splunk is able to see the performance, transactions, availability, etc. from a Sybase DB on an AIX...

by Explorer in

From the CLI, can I issue a blackout on a specific monitoring target and then later clear the blackout?

i am unfamiliar with Splunk terminology. i want to issue a blackout/stop monitoring an Oracle instance alert_log whil...

by New Member in

How to configure a new Linux Splunk indexer/search head to receive data from a Windows universal forwarder?

Hello , I am trying to configure a new Splunk server (search head/indexer, have one). Currently have installed the...

by New Member in

Event Break JSON

Hi, I am trying to ingest JSON data into Splunk but I am having difficulties setting up the event breaks. What is the...

by Engager in

How to Create Dynamic Dropdown Inputs at Search Results within a Form (Version 6.3.3)

Hi, I’m looking for a way to add dropdown inputs to the search results of a form. I’m looking for something wh...

by Builder in

Time stamp stanza

I want to make sure i understand this, i have logs that splunk can not find the time stamp on. and some are missing. ...

by Contributor in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How much license value is utilized while indexing a file of 100Gb once it is in compressed format in indexer?

event shows repeatedly in splunkd.log

What happens to the data if the indexer in an indexer cluster goes down?

Size limit for an event?

What is the preferred way to migrate Splunk indexes onto new servers?

Forwarding of data dies

How do I monitor Desired State Config event logs?

Time stamp field using transforms.conf

Setting up props.conf at the heavy forwarders

If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Is it safe to modify maxTotalDataSizeMB in a clustered environment (indexes.conf)?

What is the execution order for EXTRACT, REPORT, EVAL, LOOKUP and ALIAS in props.conf?

Events from a log were not breaking properly so I edited props.conf to fix the issue, but is it possible to reindex the old data to ensure proper event breaking?

Single forwarder to multiple indexers load balancing

What does this error mean from the source var/log/authlog?

Problem with Indexer Discovery: Receiving "ERROR IndexerDiscoveryHeartbeatThread - failed heartbeart" when attempting to add a new forwarder

After removing a monitor on one log file from all my Splunk forwarders, why do I still see search results for that log file?

Help with date Regex

Help me parse a date/time field that is in HEX

Is it possible for Splunk to see the performance, transactions, availability, etc. from a Sybase DB on AIX 7?

From the CLI, can I issue a blackout on a specific monitoring target and then later clear the blackout?

How to configure a new Linux Splunk indexer/search head to receive data from a Windows universal forwarder?

Event Break JSON

How to Create Dynamic Dropdown Inputs at Search Results within a Form (Version 6.3.3)

Time stamp stanza

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Extract fields from RFC5424 syslog with nested jso...

Splunk Nutanix TA and Splunk Enterprise 9.3.4

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions