Getting Data In

Discussions

Thread Info

Why are my sourcetypes constantly changing, and how do I prevent this?

I have a small LAN with a couple dozen servers all running Solaris. They are sending into a single instance of Splunk...

by Contributor in

Deployment Server flooded with SSL handshake errors from forwarders. How to configure forwarders to use TLS 1.2

We've recently locked down everything to use TLS 1.2 and I think i've fixed just about everything, however, my deploy...

by Path Finder in

What is the best way to index old data with fixed dates?

Hi all. I have a set of logs without a timestamp field, so, this value is taken from "Current time" on each source...

by Builder in

Why are we not seeing expected behavior for maxTotalDataSizeMB in indexes.conf?

I'm seeing a sudden spike in data coming from our firewalls (edge and internal). On average an increase of 202% daily...

by Explorer in

Why is copy-truncate a low-quality log-rotation strategy?

I've been told that the copy-truncate pattern is a poor choice for log rotation, and that it should only be used when...

by Splunk Employee in

Log rotation best practices

We have a couple of files, that are rotated by copying and then truncating the original file (so no new inode is crea...

by Motivator in

How can we improve universal forwarder performance?

Hi, We have a proxy server where multiple log files get uploaded. The average is about 15 million events per day. ...

by Motivator in

How can I define props.conf with respective source types?

i have text file with some data below. how can i define my props.conf file with respective sourcetypes? file 1 of ...

by Communicator in

How to edit my inputs.conf to whitelist selected events from Windows Security logs?

Hello I have to get only the selected events from Windows Security logs, so I have added the whitelist in inputs.c...

by Builder in

How to edit my monitor stanza with wildcards to monitor a file with subfolders?

I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs a...

by Contributor in

Why is c# logging to HTTP Event Collector not working?

I am trying to send events from my Windows server .NET app to Splunk index via HTTP Event Collector. I was able to...

by Path Finder in

How to split a log into multiple sourcetypes on a heavy forwarder?

Hi, I seem to be struggling in splitting log data from the heavy forwarder into several sourcetypes in an index. I...

by Contributor in

Splunk UF crashing frequently 6.3

Hi All, UF is crashing frequently . I didn't find any details in the splunkd logs VERSION=6.3.0 BUILD=aa7d4b1cc...

by Contributor in

How to disable Splunk Web on a universal forwarder?

I use Nessus to scan for SSL issues, and the Splunk Web interface is being flagged due to the self signed certs. I ha...

by New Member in

How to refine our sourcetype configuration for proper line breaking of events that contain multiple date values?

We are having problems parsing lines with timestamps at the beginning of the line but then there are other fields tha...

by SplunkTrust in

How should you specify the script file for PowerShell Modular Inputs

The documentation for the PowerShell Modular Input states When you specify a script file (.ps1), prepend the script n...

by Explorer in

What cron expression is supported for the PowerShell Modular Input schedule

When using Splunk Web to configure a new Powershell v3 Modular Input the hint for the Cron Schedule the hint text sta...

by Explorer in

After installing a forwarder on Windows to send data to a Splunk Cloud trial, why do I not see the forwarder in the Add Data page?

I'm new to Splunk and setting up Splunk Cloud trial verison. Have installed a Splunk forwarder on Win 2008 R2 64X ...

by New Member in

After creating an index for the Search app, why is my indexes.conf file missing from C:\Program Files\Splunk\etc\apps\search?

Hello, I have trial version of Splunk Enterprise with me. I created an index for the search and reporting app, but...

by New Member in

Why am I receiving "UniversalForwarder Setup Wizard ended prematurely because of an error" when trying to upgrade my server to 6.4.1?

Hi, There are a few servers throwing the error while installing Agent: "UniversalForwarder Setup Wizard ended premat...

by New Member in

Parsing fields from json logs

Hi Splunkers. I'm attempting to search based on fields in a JSON log file For example I am trying to search based on ...

by Path Finder in

How do I redirect to another indexer using wildcards in my props.conf?

All, I have the following props.conf / transforms.conf setup. Trying to set aside PCI into it's own set of indexe...

by Builder in

How to line break my XML file by using LINE_BREAKER or editing props.conf?

Hi Guys, I am trying to breaks the events for my sample XML file. Below is the sample. I need to break this on tag...

by Engager in

Why is indexing volume not matching license usage?

Following some runaway license violations, I am looking to find the offending host but in running the queries that I ...

by Explorer in

How to configure universal forwarders (deployment clients) on Windows machines to send logs to Splunk Light?

Complete Splunk beginner here. I am learning to use Splunk. We have a bunch of Windows machines that we want to pu...

by Engager in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why are my sourcetypes constantly changing, and how do I prevent this?

Deployment Server flooded with SSL handshake errors from forwarders. How to configure forwarders to use TLS 1.2

What is the best way to index old data with fixed dates?

Why are we not seeing expected behavior for maxTotalDataSizeMB in indexes.conf?

Why is copy-truncate a low-quality log-rotation strategy?

Log rotation best practices

How can we improve universal forwarder performance?

How can I define props.conf with respective source types?

How to edit my inputs.conf to whitelist selected events from Windows Security logs?

How to edit my monitor stanza with wildcards to monitor a file with subfolders?

Why is c# logging to HTTP Event Collector not working?

How to split a log into multiple sourcetypes on a heavy forwarder?

Splunk UF crashing frequently 6.3

How to disable Splunk Web on a universal forwarder?

How to refine our sourcetype configuration for proper line breaking of events that contain multiple date values?

How should you specify the script file for PowerShell Modular Inputs

What cron expression is supported for the PowerShell Modular Input schedule

After installing a forwarder on Windows to send data to a Splunk Cloud trial, why do I not see the forwarder in the Add Data page?

After creating an index for the Search app, why is my indexes.conf file missing from C:\Program Files\Splunk\etc\apps\search?

Why am I receiving "UniversalForwarder Setup Wizard ended prematurely because of an error" when trying to upgrade my server to 6.4.1?

Parsing fields from json logs

How do I redirect to another indexer using wildcards in my props.conf?

How to line break my XML file by using LINE_BREAKER or editing props.conf?

Why is indexing volume not matching license usage?

How to configure universal forwarders (deployment clients) on Windows machines to send logs to Splunk Light?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Re-ingest Windows logs across enterprise

SC4S Syslog server update fails during download wi...

Event break multiline PowerShell Transcript Log

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Getting Data In

Are you a member of the Splunk Community?

Discussions