Getting Data In

Discussions

Thread Info

After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

I just updated to 6.4.0 from 6.3.1. Data is being received on UDP:514 from my firewalls. This data was indexed as sys...

by New Member in

Why does this Splunk forwarder instance thinks its a deployment server/client?

Hi, I have defined a forwarder. This forwarder was configured to send its logs to an indexer for testing purposes....

by Contributor in

How to configure a Splunk Universal forwarder on a remote system?

I've already installed the Splunk Universal Forwarder in my remote PC. I gave the Indexer the IP to receive the data ...

by Engager in

Why is old data not being deleted every day after configuring a 3 day retention period for an index?

Hi, I am testing the retention related settings in my test index. I have set up the frozenTimePeriodInSecs = 25920...

by Path Finder in

Universal forwarder using 40-50% CPU and reports "(process) took longer than seems reasonable...Might indicate hardware or splunk limitations."

A Splunk Universal Forwarder has been using an unusual amount of CPU (between 40% and 50%), specifically by splunk-wi...

by Path Finder in

How to edit my data retention policy configuration to delete all data older than two or three weeks?

Hello, I'm currently running Splunk Enterprise on version 6.3 in a non clustered environment and I'm having some i...

by Path Finder in

No dashboard graphs or entity info in Splunk App for VMware

Hi splunkers, Last week I've installed Splunk and Splunk App for VMware, everything looks to work fine but to det...

by Path Finder in

How to force local indexing in each site of a multisite indexer cluster?

I have three geographically separated sites where I am implementing a multisite Splunk Indexer Cluster. The master si...

by Communicator in

Is there a way to add an index via CLI that includes hot/warm and cold paths without restarting?

by Splunk Employee in

Timestamp parsing with separate Date and Time fields

Hi there, My event data has the following extract about 100chars in from the start of the event... &ltdate_valu...

by Splunk Employee in

Why are Windows event logs not being forwarded to the specified index with my current configuration?

I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types ...

by Explorer in

How to configure Splunk to permanently index certain data to indexA instead of the current indexB?

Hi all! I checked in the forum that someone has already asked similar question. ++++++Copy from another quest...

by New Member in

Try and add Monitoring to folder - get error "In Handler monitor cannor perform action "Post" without a target name to act on"

Hi guys, bit of a splunk newbie here, but muddling my way along with all the great articles on here. Im having an...

by Path Finder in

How to set the timestamp format to YYYY-MM-DD?

I need to use the field email sent to YYYY-MM-DD format for timestamp. How to set the timestamp for the YYYY-MM-DD fo...

by Path Finder in

Installing the splunk-reskit-powershell

I'm having issue getting started with the Splunk-reskit-Powershell module. The Getting Started with the Splunk Po...

by Explorer in

Hunk UTC timezone

We use UTC as our timezone for Hunk + HIve. So we use this in our indexes.conf vix.input.1.et.timezone = UTC I ...

by SplunkTrust in

Dos anyone is indexing EMET logs

hi splunkers ! I Begin to work on Windows EMET logs. From scratch, this software gives a lots of information. Does...

by Communicator in

How to get logs from a Windows machine without installing a forwarder?

Hi, I understand that best practice is to install a universal forwarder on a server and send the logs directly to...

by Path Finder in

How do I line break this data source?

ComputerTarget=EDITED; NeededCount=31; DownloadedCount=0; NotApplicableCount=82225; NotInstalledCount=31; InstalledCo...

by New Member in

Is it possible to configure the universal forwarder to forward all Windows event logs without needing to put in every single log by hand?

For some time now I have been using Splunk to log all the basic Windows event logs such as App, Security, Setup, Syst...

by Path Finder in

Reqex filter in transforms.conf not working

At the indexer, I am trying to exclude event records from incoming windows logs that have Logon Type=3. Below is the ...

by Explorer in

What is the exact Raspberry Pi (Debian) CLI command to download the Universal Forwarder

Sorry... total numbnut here... not much experience with *nix commands I'm sorry. I want to download the Universal ...

by Engager in

Is it possible to drop events at the source with a universal forwarder?

All, Just reading: http://blogs.splunk.com/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part...

by Builder in

Heavy Forwarder, License Exceeded and Log Rotation

Complex question here. I have the following set up: Universal forwarder[20G rotating file] -> Heavy Forwarder[p...

by Path Finder in

how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

Hello, our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry i...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

Why does this Splunk forwarder instance thinks its a deployment server/client?

How to configure a Splunk Universal forwarder on a remote system?

Why is old data not being deleted every day after configuring a 3 day retention period for an index?

Universal forwarder using 40-50% CPU and reports "(process) took longer than seems reasonable...Might indicate hardware or splunk limitations."

How to edit my data retention policy configuration to delete all data older than two or three weeks?

No dashboard graphs or entity info in Splunk App for VMware

How to force local indexing in each site of a multisite indexer cluster?

Is there a way to add an index via CLI that includes hot/warm and cold paths without restarting?

Timestamp parsing with separate Date and Time fields

Why are Windows event logs not being forwarded to the specified index with my current configuration?

How to configure Splunk to permanently index certain data to indexA instead of the current indexB?

Try and add Monitoring to folder - get error "In Handler monitor cannor perform action "Post" without a target name to act on"

How to set the timestamp format to YYYY-MM-DD?

Installing the splunk-reskit-powershell

Hunk UTC timezone

Dos anyone is indexing EMET logs

How to get logs from a Windows machine without installing a forwarder?

How do I line break this data source?

Is it possible to configure the universal forwarder to forward all Windows event logs without needing to put in every single log by hand?

Reqex filter in transforms.conf not working

What is the exact Raspberry Pi (Debian) CLI command to download the Universal Forwarder

Is it possible to drop events at the source with a universal forwarder?

Heavy Forwarder, License Exceeded and Log Rotation

how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions