Getting Data In

Discussions

Thread Info

How to configure a heavy forwarder to filter events based on the hostname found in IIS logs?

I have not yet started ingesting IIS logs from my systems. The systems have roughly 2 years of logs stored on them, t...

by Path Finder in

How to find the path for an unknown data source that is sending data to Splunk?

How can I tell where data is coming from? I have inherited an old Splunk 5.0.1 Enterprise Infrastructure. I can see d...

by Explorer in

Indexed data twice! Suggestions to remove data from being searched?

Lets say we have forwarded events that are exactly the same and show in Splunk as duplicates. Running a | dedup _raw ...

by Builder in

Is there a way to validate the URI for HTTP Event Collector?

I am trying to leverage Powershell to POST the event in form of JSON. The Invoke-WebRequest does not work well. Is th...

by Path Finder in

Why do I see the default log files, but not the monitored log files being forwarded to indexers?

I am forwarding the data from forwarder to indexer. I am able to see the default log files that forwarder forwards to...

by Path Finder in

Filter out logs using props.conf and transfors.conf

I am pulling logs from the firewalls via scripts on a heavy forwarder (via scrips from the app for Checkpoint). How t...

by Contributor in

Blacklist/ignore files by size

When monitoring a directory for files (using inputs.conf) is it possible to blacklist or ignore files over a certain ...

by Builder in

Is it possible to transport data from a Windows event log view?

Hi, In our environment, many applications are logging into the Windows Application Event log. We would like to tra...

by Communicator in

How to configure wmi.conf to query Windows CPU Temperature?

I could not find any references to anyone trying to query temperature using WMI

by Path Finder in

Props.conf for JSON File

All, Having some trouble with a JSON file field extractions. It’s funny the only extraction I am getting is “PATH...

by Builder in

dealing with sporadic linebreaks in my data when it comes in by tcp input

When I'm sending in data over TCP, once in a blue moon Splunk will split one of the events into two parts, so I get t...

by SplunkTrust in

Search results for a sourcetype are null for a certain user. Where should I check the permissions?

We are using two different user accounts: the defult admin account, and one we have created called "consultant", whic...

by Communicator in

how to break the JSON data?

Hello Experts, Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk...

by Builder in

Split already indexed data into new events?

Does anyone know of a way to create new events from already indexed data? Here is my issue: 1) I am monitoring a d...

by Builder in

Is it possible to use a configuration stanza in webhook URL? e.g. https://`stanza[service_url]`?disposition=1&auth=`stanza[auth_token]`

I am sure this is not an existing syntax  and yet - is it possible to encode such URL-s? ====================== ...

by Path Finder in

Filter Windows Event Data to different Targets?

Question : I would like to ingest windows event data using Splunk Heavy Forwarder and need to filter Windows event lo...

by Splunk Employee in

Why is my inputs.conf monitor stanza with multiple wildcards not picking up anything?

I'm trying to index all the files marked with a [Y] in the directory structure below. [Y] - /tmp/test.log [Y] - /t...

by New Member in

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Hey guys. I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for d...

by Communicator in

How to monitor HD free space on servers?

Do I have to have the Splunk forwarder loaded on every server, or is there a way to send that info to a syslog server...

by Path Finder in

How to get all system logs like CPU, disk, and memory from a Splunk forwarder machine?

Hi, I want to get all system logs, like CPU, Disk, Memory and other system logs, from machine where my Splunk forw...

by Explorer in

How to extract data from a CSV file with multiple lines, but the timestamp on a different line??

Hi, My log has a timestamp and a CSV rows. Eg. given 2 records. Sun Feb 14 07:01:05 EST 2016 customer_name,...

by New Member in

Why am I not able to exclude events from getting indexed with my current props and transforms.conf?

Not able to exclude events from indexing on Splunk Enterprise Free version. Can anyone help me out here? Sample da...

by Explorer in

How to route data from forwarders to separate indexes based on the source field when data is coming from single TCP port?

I have log data from multiple sources coming into a single TCP port in JSON format as below: <01>- hostname {"name...

by Contributor in

How to create or update KV Store via REST endpoints?

Hello, I want to fill my KVStore with information from a script. The script adds data via a REST Endpoint to the K...

by Path Finder in

What is the best architecture for a huge amount of syslog data ?

Hi splunkers, I'm think about the best architecture for a huge amount of syslog data. At first, I used rsyslog in ...

by Contributor in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to configure a heavy forwarder to filter events based on the hostname found in IIS logs?

How to find the path for an unknown data source that is sending data to Splunk?

Indexed data twice! Suggestions to remove data from being searched?

Is there a way to validate the URI for HTTP Event Collector?

Why do I see the default log files, but not the monitored log files being forwarded to indexers?

Filter out logs using props.conf and transfors.conf

Blacklist/ignore files by size

Is it possible to transport data from a Windows event log view?

How to configure wmi.conf to query Windows CPU Temperature?

Props.conf for JSON File

dealing with sporadic linebreaks in my data when it comes in by tcp input

Search results for a sourcetype are null for a certain user. Where should I check the permissions?

how to break the JSON data?

Split already indexed data into new events?

Is it possible to use a configuration stanza in webhook URL? e.g. https://`stanza[service_url]`?disposition=1&auth=`stanza[auth_token]`

Filter Windows Event Data to different Targets?

Why is my inputs.conf monitor stanza with multiple wildcards not picking up anything?

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

How to monitor HD free space on servers?

How to get all system logs like CPU, disk, and memory from a Splunk forwarder machine?

How to extract data from a CSV file with multiple lines, but the timestamp on a different line??

Why am I not able to exclude events from getting indexed with my current props and transforms.conf?

How to route data from forwarders to separate indexes based on the source field when data is coming from single TCP port?

How to create or update KV Store via REST endpoints?

What is the best architecture for a huge amount of syslog data ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Mimecast App to get Archive logs

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

What is the correct format for including the API k...

Configuring Splunk OTel Collector for Linux/Window...

Upload failed with ERROR: Read Timeout