Getting Data In

Thread Info

When trying to forward IIS logs from one indexer to another indexer, why is props.conf transform not working for the IIS stanza?

From indexerA I am trying to forward Windows Event Logs and IIS Logs to indexerB. The Windows Event Logs are being fo...

by Explorer in

Use of double qoutes in rex command arguments fails alerts in windows environment.

Set up an alert with the search command: source="C:\test\data\log1.txt" | rex v="(? .*)" | head 10 the a...

by Splunk Employee in

Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?

Hello, I am trying to only capture EventIDs 400 and 800 inside the Windows PowerShell log (not the PowerShell Ope...

by Contributor in

Indexing problem

I tried to create a summary index for a search string. I scheduled the search, and enabled the index in the manager v...

by Path Finder in

How to attach a group read access to the Windows Eventlog when installing Splunk Universal Forwarder?

We are trying to collect data from certain secure Windows Systems and the team have requested to install "Splunk Univ...

by Super Champion in

How to send month old logs to Splunk via oneshot and maintain their correct timestamp if I currently have DATETIME_CONFIG=CURRENT in props.conf?

Hello all, I've been indexing Infoblox DHCP and DNS queries for a couple of months now. Because of the amount of l...

by Path Finder in

Can I disable Splunk from indexing data for a specific time frame?

I'm one overage away from violating my licenses due to an AV scan on my QA environments and would like to temporarily...

by SplunkTrust in

Why are files in a folder not getting deleted on the universal forwarder with move_policy=sinkhole in the inputs.conf batch stanza?

I setup my universal forwarder to monitor a folder and send the contents to one of my indexers. That works great. I c...

by New Member in

new to splunk - need help with input.conf

i am new to splunk that is already setup on our servers, my manager asked if i can edit the input.conf file so we can...

by Explorer in

Heavy Forwarder Configuration

I am having some issues getting my heavy forwarder to forward events. The configuration I'm trying to achieve is as f...

by Path Finder in

How to set date & time stamps across two lines in xml where time was already picked up

Hi Team Trying to ingest an xml file in the following raw format(extracted portion for sample but each event consi...

by Explorer in

Index data and then forward to another indexer

Hi, we have and indexer that receive data from some Univ. Forwarder. Data are stored on different index (IndexA, Inde...

by Explorer in

Splunk alert unable to trigger .bat file

My Splunk alert unable to trigger any executable file. For instance, I have placed reader.bat file in Splunk scripts ...

by Communicator in

Any way to tell a saved search to run under a certain timezone?

We are running into an issue where we have multiple users across the country; specifically MST. Data resideds on a se...

by Explorer in

props.conf and line breaking

I have been experimenting with indexing Nessus plugins. On my laptop where I have a test Splunk instance and scanner,...

by Path Finder in

Can I get Splunk to collect logs from vCenter's ESXi Dump Collector?

My vCenter guys are looking to install the ESXi Dump Collector so that they can store months worth of ESX log and met...

by New Member in

How do I CIM tag DB2 audit logs that are dumped on the filesystem as a text file (not using DB Connect)?

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it compl...

by SplunkTrust in

What is the default value for maxConcurrentOptimizes?

If the parameter maxConcurrentOptimizes is not defined for an index in indexes.conf, will Splunk assign a value for i...

by Explorer in

Is there a way to disable a sourcetype in props.conf to no longer index these events?

Hello, I would like to disable a sourcetype defined in props.conf. I do not want anymore events related to this so...

by Explorer in

How do I configure the ulimit for an indexer?

How to configure the ulimit for an indexer? I want to increase the ulimit of the server.

by Path Finder in

Different values for each minute

Hi, i'm new to splunk and in need for a little help. we can only access an index that was made for our departme...

by Path Finder in

max even forwarding speed when maxKBps is unlimited and useACK is enabled

Out of curiosity, could folks give an estimate as to the maximum sustained throughput they have observed by a forward...

by Path Finder in

Is it possible to use SSH to connect Splunk to a MySQL database?

Hello, I am trying to connect Splunk to a MySQL database, however MYSQL is only listening on localhost. To normall...

by Engager in

How can I configure Splunk to properly index my file in production?

I have a file in production that appears to not be indexed as running a search for index=<name> returns no results. T...

by Path Finder in

What function or command can I use for Splunk to map the latitude and longitude into corresponding timezones?

Hi, Currently in my data, I have latitude and longitude info for all locations around the world. Is there a way or...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

When trying to forward IIS logs from one indexer to another indexer, why is props.conf transform not working for the IIS stanza?

Use of double qoutes in rex command arguments fails alerts in windows environment.

Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?

Indexing problem

How to attach a group read access to the Windows Eventlog when installing Splunk Universal Forwarder?

How to send month old logs to Splunk via oneshot and maintain their correct timestamp if I currently have DATETIME_CONFIG=CURRENT in props.conf?

Can I disable Splunk from indexing data for a specific time frame?

Why are files in a folder not getting deleted on the universal forwarder with move_policy=sinkhole in the inputs.conf batch stanza?

new to splunk - need help with input.conf

Heavy Forwarder Configuration

How to set date & time stamps across two lines in xml where time was already picked up

Index data and then forward to another indexer

Splunk alert unable to trigger .bat file

Any way to tell a saved search to run under a certain timezone?

props.conf and line breaking

Can I get Splunk to collect logs from vCenter's ESXi Dump Collector?

How do I CIM tag DB2 audit logs that are dumped on the filesystem as a text file (not using DB Connect)?

What is the default value for maxConcurrentOptimizes?

Is there a way to disable a sourcetype in props.conf to no longer index these events?

How do I configure the ulimit for an indexer?

Different values for each minute

max even forwarding speed when maxKBps is unlimited and useACK is enabled

Is it possible to use SSH to connect Splunk to a MySQL database?

How can I configure Splunk to properly index my file in production?

What function or command can I use for Splunk to map the latitude and longitude into corresponding timezones?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions