Getting Data In

Discussions

Thread Info

Is _indextime set at parse time or index time?

Does anyone know if the _indextime field is assigned during the parsing phase or when the event is written into the i...

by Super Champion in

Difference in Size Between Events

I have two indexes that contain different sets of events. Index 1 Event Count – 23,952 Current Size – 19 Index...

by Path Finder in

Multiline file, indexes every line

Hi I have a log file that mainly contains one liners, but the errors that are logged comes as multiple lines and a...

by Engager in

rewrite index with fallback to a default one, if it doesn't exist

I am trying to achieve the following: 1 - define the index on the forwarder directly in the inputs.conf (let's say...

by Path Finder in

Why there are additional TCP connections initiated from my Universal Forwarder, which are TIME_OUT

Hello, I recently started installing the Splunk Universal Forwarder on all of our Windows hosts. The deployment go...

by Communicator in

Hunk - specify delimiter when using SplunkLineRecordReader

How does one specify the delimiter when using SplunkLineRecordReader? Trying to read in a csv file with a header and ...

by Engager in

Using the Heavy Forwarder to load balance syslog message output?

I am using a heavy forwarder to transform splunk message into a syslog format. I would then like to the heavy forward...

by New Member in

How to parse key-value pairs from logs in JSON format?

Hi, In my Java application, I am printing logs in JSON format. Here in JSON "message" field I am logging a value as k...

by Communicator in

Fixed Format Records - Timestamp Extraction Issues

Guys, This is probably a simple answer, but I'm struggling to get it right  I have events of fixed length - ea...

by Contributor in

Multi-line events breaking at 257 lines despite MAX_EVENTS=40000

I have some files I'm trying to parse into splunk, and I'm having trouble with getting large multi-line events to wor...

by Engager in

BREAK_ONLY_BEFORE not working

I have a clustered system that I am using, and I'm attempting to break events at the search head level, and it seems ...

by Motivator in

Why I cant reindex my log data after two consecutive cleaning of index?

Hi all, Im having trouble with re indexing my logs after i did twice index clean up. I have here my inputs.conf...

by Contributor in

Grouping JSON data and creating dynamic chart

Hi experts, I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck wi...

by Explorer in

Forwarding from universal to index

It was working fine and suddenly got the following error of nowhere and not geeting data anymore. 11-03-2011 16:53...

by Path Finder in

Universal Forwarder and custom sourcetype

I would like to forward my symfony logs using a Splunk universal forwarder. I ran a train on a sample symfony log fil...

by Engager in

Is there a tool to measure IOPS of Splunk indexers on Windows 2008 servers?

Hi; i want to measure the IOPS of our splunk indexers on windows 2008 boxes. Is there a way how to do it? Thank...

by Path Finder in

Change Virtual Index programmatically daily

Hi. I am using Hunk currently to connect to an Amazon S3 bucket for my virtual index. The end of the Path to data ...

by New Member in

How do I shut off indexing for a certain group who are forwarding their data to my indexer when their data reaches a certain volume?

Another team has asked me if they can send their syslog data to my Splunk server if they purchase some license capaci...

by Path Finder in

Many indexes for many hosts? (no hostname in the logs)

Hi all, I have a doubt about which can be the best practice about indexing if: I have several splunk client fo...

by Explorer in

LINE_BREAKER not work with if i add FIELD_DELIMITER in props.conf

I create regularExp. for line break which work correctly but if i add FIELD_DELIMITER = | with that then line break n...

by Communicator in

Getting Data In

Discussions

Is _indextime set at parse time or index time?

Difference in Size Between Events

Multiline file, indexes every line

rewrite index with fallback to a default one, if it doesn't exist

Why there are additional TCP connections initiated from my Universal Forwarder, which are TIME_OUT

Hunk - specify delimiter when using SplunkLineRecordReader

Using the Heavy Forwarder to load balance syslog message output?

How to parse key-value pairs from logs in JSON format?

Fixed Format Records - Timestamp Extraction Issues

Multi-line events breaking at 257 lines despite MAX_EVENTS=40000

BREAK_ONLY_BEFORE not working

Why I cant reindex my log data after two consecutive cleaning of index?

Grouping JSON data and creating dynamic chart

Forwarding from universal to index

Universal Forwarder and custom sourcetype

Is there a tool to measure IOPS of Splunk indexers on Windows 2008 servers?

Change Virtual Index programmatically daily

How do I shut off indexing for a certain group who are forwarding their data to my indexer when their data reaches a certain volume?

Many indexes for many hosts? (no hostname in the logs)

LINE_BREAKER not work with if i add FIELD_DELIMITER in props.conf

WMI does not collect data from servers that do not...

How to troubleshoot Complex Heavy Forwarder Flows

Splunk Add on for McAfee DAM (Database Activity Mo...

Splunk Input from S3

How do I set the CRON job for scripted inputs so t...