Getting Data In

Discussions

Thread Info

mongod process consuming more CPU on Linux NUMA machine -remediation

mongod process taking more CPU. Getting below message in var/log/splunk/mongod.log. Where should I run this command? ...

by Path Finder in

Timestamp difference

Hi, Index time 4 hours behind the actual timestamp of the database row we are pulling in as event. This is resul...

by Explorer in

what could be the reason for some splunk sessions observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format)?

Default date in the Splunk session is observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format) Du...

by Builder in

How to use sourcetype to route data from a heavy forwarder to different indexer cluster groups ?

Hi there, We're trying to have a splunk forwarder to send data to an intermediate splunk heavy forwarder that clo...

by Engager in

How to edit authentication.conf via Rest (round 2)?

I am trying to edit etc/system/local/authentication.conf via the rest API. I was advised to look at Edit Configs via...

by Communicator in

After upgrading Splunk from 6.3.0 to 6.4.1, why am I getting error "Invalid value in stanza [header_nullq]" on restart?

Hi, I upgraded Splunk from 6.3.0 to 6.4.1. On restarting Splunk, I am getting below messages. Checking filesys...

by Explorer in

JSON - options either limits/tuncates events OR extract twice.

Hi Guys Pretty new to all this and struggling to understand all the other answers. I have a cronjob which is ex...

by Path Finder in

timestamp equals to none for CSV file [ unable to get a date field as a timestamp]

Hello, I am trying to get splunk to parse the timestamps properly in my CSV, II Here are the first lines of the CSV :...

by Explorer in

Is it possible to set retention policies on indexed data based on sourcetype?

We are in a slight dilemma where we are trying to reduce down the number of indexes we have, understanding that this ...

by Builder in

transforms and props.conf splitting sourcetype not matching

I'm trying to follow the pattern of matching a string and transforming the event into a new sourcetype. I'm using a s...

by Explorer in

How to configure Splunk to prevent line breaking events on ASCII character "#012"?

I have syslog messages arriving at the indexer with embedded ASCII form feed characters (#012). Splunk is breaking on...

by Builder in

How to update CSV ?

Hi all, I am looking to have a csv with a number of rows and columns. I would like that when the CSV gets updated ...

by Explorer in

How to load a CSV file into Splunk & Change the csv file dynamically, so that data is refreshed.

Hi All, I am trying to load a .csv file into splunk, using sourcetype(csv). Upload of data is working fine but the...

by Communicator in

Where and how to define TIME_FORMAT in props.conf?

I have props.conf in 3 different directories as follows: 1) Splunk_Home/etc/apps/learned/local/props.conf [splu...

by Builder in

Using a field within a log for the true timestamp

Here si the example log: Sep 1 11:23:48 HOSTNAME netflow: timestamp=2016-08-30T12:51:07.593 duration=1.246 proto=6...

by Builder in

Is it possible to index and forward a specific sourcetype from an indexer?

I have a situation in which I need to get events from our Windows servers to a third-party device for a managed secur...

by Engager in

How to decompress a single field (compressed JSON file) given the data has already been indexed in Splunk?

We have a compressed (via python zlib) JSON file that is "chunked" prior to being indexed by Splunk. The multiple ...

by New Member in

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

I have been trying to figure this out for a few days, and I am not getting anywhere. I have specific data coming i...

by Path Finder in

Simple forwarder encryption

Is it possible to configure a universal forwarder to encrypt WITHOUT requiring mutual auth? Like how most browsers wo...

by Engager in

UTC timezone missing?

For clarity, the support staff work in UTC when looking at logs. The Splunk indexers are all running with /etc/localt...

by Engager in

Splunk Add-on for Checkpoint 4.0.0

I have a checkpoint cluster configuration with a single management workstation - Installing the Add-on to establish t...

by Path Finder in

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Hello community, I just take over a cluster (which is not in full productive mode yet) and i want to update all se...

by Communicator in

create summary index in transforms.conf

Hi all, I currently have a scheduled search that runs every minute and filters certain events for the previous min...

by Path Finder in

Add a custom Perfmon

I have a saved Perfmon that is installed on my environment. I'd like to bring that data in. for example: name o...

by Path Finder in

csv file could not be read.

I created a csv file and placed in splunk/var/run/splunk/csv/ folder and using the command |inputcsv filename.csv ...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

mongod process consuming more CPU on Linux NUMA machine -remediation

Timestamp difference

what could be the reason for some splunk sessions observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format)?

How to use sourcetype to route data from a heavy forwarder to different indexer cluster groups ?

How to edit authentication.conf via Rest (round 2)?

After upgrading Splunk from 6.3.0 to 6.4.1, why am I getting error "Invalid value in stanza [header_nullq]" on restart?

JSON - options either limits/tuncates events OR extract twice.

timestamp equals to none for CSV file [ unable to get a date field as a timestamp]

Is it possible to set retention policies on indexed data based on sourcetype?

transforms and props.conf splitting sourcetype not matching

How to configure Splunk to prevent line breaking events on ASCII character "#012"?

How to update CSV ?

How to load a CSV file into Splunk & Change the csv file dynamically, so that data is refreshed.

Where and how to define TIME_FORMAT in props.conf?

Using a field within a log for the true timestamp

Is it possible to index and forward a specific sourcetype from an indexer?

How to decompress a single field (compressed JSON file) given the data has already been indexed in Splunk?

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

Simple forwarder encryption

UTC timezone missing?

Splunk Add-on for Checkpoint 4.0.0

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

create summary index in transforms.conf

Add a custom Perfmon

csv file could not be read.

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Taking one site of two site indexer cluster down f...

Onboard Unknown Source to SC4S

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Getting Data In

Are you a member of the Splunk Community?

Discussions