Getting Data In

Discussions

Thread Info

Is it possible to index and forward a specific sourcetype from an indexer?

I have a situation in which I need to get events from our Windows servers to a third-party device for a managed secur...

by Engager in

How to decompress a single field (compressed JSON file) given the data has already been indexed in Splunk?

We have a compressed (via python zlib) JSON file that is "chunked" prior to being indexed by Splunk. The multiple ...

by New Member in

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

I have been trying to figure this out for a few days, and I am not getting anywhere. I have specific data coming i...

by Path Finder in

Simple forwarder encryption

Is it possible to configure a universal forwarder to encrypt WITHOUT requiring mutual auth? Like how most browsers wo...

by Engager in

UTC timezone missing?

For clarity, the support staff work in UTC when looking at logs. The Splunk indexers are all running with /etc/localt...

by Engager in

Splunk Add-on for Checkpoint 4.0.0

I have a checkpoint cluster configuration with a single management workstation - Installing the Add-on to establish t...

by Path Finder in

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Hello community, I just take over a cluster (which is not in full productive mode yet) and i want to update all se...

by Communicator in

create summary index in transforms.conf

Hi all, I currently have a scheduled search that runs every minute and filters certain events for the previous min...

by Path Finder in

Add a custom Perfmon

I have a saved Perfmon that is installed on my environment. I'd like to bring that data in. for example: name o...

by Path Finder in

csv file could not be read.

I created a csv file and placed in splunk/var/run/splunk/csv/ folder and using the command |inputcsv filename.csv ...

by Explorer in

Missing events from search for specific hosts running UF

I have around 80 identically configured branch office domain controllers. They all get their config from the deployme...

by Communicator in

How can we anonymize user date at search time?

I want to anonymize user data (for example email adresses) at searchtime and tried a couple of ways. I tried the rex ...

by Explorer in

Why is my production environment breaking logs differently than my lab?

Good morning. So I have some TomCat logs of the format below that are parsing correctly in my lab but not in my produ...

by Explorer in

Windows Event Logs stop forwarding - why?

I have Splunk forwarder installed on many Windows 2008 systems, and recently, the Windows Event logs stopped showing ...

by Path Finder in

How to configure Splunk to break my sample log data into separate events, not one combined event?

Hi, I have the below log data: 16:37:56.875 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (s...

by Motivator in

Search for users who have triggered multiple Windows Event Codes

I am looking for a way to show users who have matched three separate Windows Security Event Codes IE user X has (E...

by New Member in

What are best practices with creating indexes and sourcetypes for two distinct sources of unstructured data from the same application?

Hi all, I couldn't find any definitive answers, so I'm hoping that the forum members' real life experiences may po...

by Path Finder in

How to filter out the first 2 lines of an event?

I have a VB script to get Local users from Admin group. The event data from this script by default adds the below 2 l...

by Explorer in

Why are my Catalina logs not line breaking as expected when I set up a directory monitor in inputs.conf?

Hello, I'm trying to get some Tomcat Catalina logs to import correctly. Manually importing the files works fine, ...

by Explorer in

I have events that I need to split out according to an suffixed number on the end of the field names and then summarized with other events for the same Flow Name.

All of the fields ending in _1 need to be reported together, then all those ending in _2, etc. The number of suffixed...

by Explorer in

Trying to get SNMP data into Splunk, why am I getting error "A possible timestamp match is outside of the acceptable time window"?

I have followed the following links for getting SNMP Data into Splunk: http://blogs.splunk.com/2013/11/06/adventur...

by Path Finder in

Is it normal to have both sourcetype UDP:514 and sourcetype syslog?

Hello, My colleague configured 1 heavy forwarder and I configured the other 2. In my Splunk, I see both sourcetype...

by Explorer in

Why do I get "Invalid key in stanza [tcp-ssl://:1470] ... connection_host=dns your indexes and inputs are not internally consistent"?

Hello, Our /opt/splunk/etc/apps/search/local/inputs.conf file on our forwarder contains: [tcp-ssl://:1470] conn...

by Path Finder in

inputcsv returning no results

All, I am trying to read a csv file using the inputcsv command. I can't seem to figure out why, but the command is...

by Contributor in

In props.conf what does each term means??

INDEXED_EXTRACTIONS = csv NO_BINARY_CHECK = true category = Custom pulldown_type = 1 config = props

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Is it possible to index and forward a specific sourcetype from an indexer?

How to decompress a single field (compressed JSON file) given the data has already been indexed in Splunk?

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

Simple forwarder encryption

UTC timezone missing?

Splunk Add-on for Checkpoint 4.0.0

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

create summary index in transforms.conf

Add a custom Perfmon

csv file could not be read.

Missing events from search for specific hosts running UF

How can we anonymize user date at search time?

Why is my production environment breaking logs differently than my lab?

Windows Event Logs stop forwarding - why?

How to configure Splunk to break my sample log data into separate events, not one combined event?

Search for users who have triggered multiple Windows Event Codes

What are best practices with creating indexes and sourcetypes for two distinct sources of unstructured data from the same application?

How to filter out the first 2 lines of an event?

Why are my Catalina logs not line breaking as expected when I set up a directory monitor in inputs.conf?

I have events that I need to split out according to an suffixed number on the end of the field names and then summarized with other events for the same Flow Name.

Trying to get SNMP data into Splunk, why am I getting error "A possible timestamp match is outside of the acceptable time window"?

Is it normal to have both sourcetype UDP:514 and sourcetype syslog?

Why do I get "Invalid key in stanza [tcp-ssl://:1470] ... connection_host=dns your indexes and inputs are not internally consistent"?

inputcsv returning no results

In props.conf what does each term means??

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

Capability to upload image in Splunk Dashboard Stu...

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...