Getting Data In

Community Activity

If I configure a heavy forwarder to index and forward data, where is the indexed data stored and how do I access those events? Hi, I'm planning a deployment where all Windows servers will have the Universal Forwarder installed and configured t... by restevan New Member in Getting Data In 05-26-2016 0 3	0	3
Why do I keep getting "INFO TailReader - File descriptor cache is full (100), trimming..." in the splunkd.log on a heavy forwarder? Hello Getting what I would think is an error, but its listed as info level, not sure what it means INFO TailReader... by tkwaller Builder in Getting Data In 05-26-2016 0 2	0	2
Add index to default searched index in splunk light. I'm forwarding traffic from a window file server to a splunk light instance. The index where the data is received is... by matt_squaretrad Engager in Getting Data In 05-26-2016 1 3	1	3
Why did our indexer stop receiving data from all forwarders last night with SSL error "certificate verify failed"? Hi all, Splunk Enterprise 6.2.3 (264376). Overnight, the indexer stopped receiving data from all of the forwarders.... by crunchit Engager in Getting Data In 05-25-2016 0 3	0	3
replace self signed certificates on Splunk forwarder What is the process to create SSL NON self signed certificates on the splunk forwarders? Currently when a splunk for... by BastianW Path Finder in Getting Data In 05-25-2016 0 2	0	2
Should we upgrade our universal forwarders from 4.3 to 6.4? Why? Hi, Can you please tell me if there is any valuable reason to upgrade forwarders from 4.3 to new versions (6.x)? We... by gregory_cordier Explorer in Getting Data In 05-25-2016 0 1	0	1
overall splunk monitoring What is needed to monitor that splunk is running properly. There is the Deployment Monitor App (http://splunk-base.s... by andersmholmgren Explorer in Getting Data In 05-25-2016 2 5	2	5
How can we make sure the appropriate key-value pairs from different web application logs are indexed in Splunk? We have multiple web applications that have different information being recorded to make sure the appropriate informa... by akhilchhugani New Member in Getting Data In 05-25-2016 0 7	0	7
How to configure props.conf to line break data in json format? I have events that are coming in 'kinda' json format. I can't get KV_MODE=json to work so I was going to try and do t... by jedatt01 Builder in Getting Data In 05-25-2016 0 4	0	4
Why are only the first two lines of my CSV file getting indexed? Trying to index a CSV, but only the first two lines are indexing. I want to skip the first line and start indexing ... by fredkaiser Path Finder in Getting Data In 05-24-2016 0 5	0	5
If we have multiple logs from various web applications with different key value pairs and different formats how can we extract different information from each type of log I do not understand how the indexing in splunk works, if there are multiple types of log files and we want only certa... by ac123 New Member in Getting Data In 05-24-2016 0 1	0	1
Can a 6.3.3 standalone Search Head connect to a 6.4.1 indexer in an indexer cluster? Hi, We've set up our dev environment to use 6.4.1, and are testing it with some customers. When they try to add the ... by a212830 Champion in Getting Data In 05-24-2016 0 1	0	1
Does anyone have experience with how indexing latency affects accelerated data models and how to handle this? Has anyone had any experience on how indexing lag affects accelerated data models and ways to mitigate the issue? Th... by romedome Path Finder in Getting Data In 05-24-2016 0 4	0	4
Why does Splunk seem to have more than 90 days of data with our frozenTimePeriodInSecs setting? We changed frozenTimePeriodInSecs = 10368000 (120 days from 90 days) for the layer7 index 30 days ago. It shows the... by ddrillic Ultra Champion in Getting Data In 05-24-2016 0 3	0	3
Why am I still seeing data older than my frozenTimePeriodInSecs retention setting? I have set the values to maxDataSize = 1024 maxHotIdleSecs = 86400 maxWarmDBCount = 30 frozenTimePeriodInSecs = 6480... by neelamsantosh Path Finder in Getting Data In 05-24-2016 0 2	0	2
Why is the timezone for DNS logs from multiple regions not getting localized? Hi, I have DNS logs coming from multiple geographies -Australia, India etc. My whole Splunk infrastructure is in UTC... by lohitkidu Path Finder in Getting Data In 05-24-2016 0 3	0	3
Data is currently indexed with past and future dates. How to configure Splunk to only index data using the System Date/Time? What is needed to change Splunk to only index using the System Date/Time? I have data indexed today with a date of 20... by ezajac Path Finder in Getting Data In 05-24-2016 0 1	0	1
How to measure the amount of data getting into Splunk heavy forwarders from a certain source? There are two heavy forwarders with F5 load balancer placed behind these servers to manage the load (syslog) and thes... by Hemnaath Motivator in Getting Data In 05-24-2016 0 3	0	3
How can a specific time period of logs be recovered from one Splunk indexer, then restored into another indexer? For example, if I needed the logs dated from January 1, 2016 - January 31, 2016 moved to a different indexer. How can... by cmcdole Path Finder in Getting Data In 05-24-2016 0 5	0	5
Is Python the only supported language, or can I create a custom command or macro via Ruby? All, A vendor just sent me this script to decode their vendor message table. It's not just a simple lookup, but a c... by daniel333 Builder in Getting Data In 05-24-2016 0 1	0	1
Why is line breaking not working as expected for my XML data when I edit .conf files directly? Hi everyone, Can someone please explain why these steps won't work? XML file that I input in Splunk are one event, l... by gagi76 New Member in Getting Data In 05-23-2016 0 3	0	3
How to set default values for new sourcetypes? How can I set up several sourcetypes to inherit the values from one place so I don't have to edit 10 different ones t... by dougmartin Path Finder in Getting Data In 05-23-2016 0 2	0	2
crcSalt question - index all I already know that without crcSalt Splunk checks the first 256 characters, and the crcSalt = the Splunk checks the... by renanprado96 Path Finder in Getting Data In 05-23-2016 0 6	0	6
Is there anyway to fetch the logs of Live HTTP/HTTPs traffic? Is there anyway to fetch the logs of Live HTTP/HTTPs traffic (Web traffic)? For E.G : I am searching multiple sit... by umang_solanki New Member in Getting Data In 05-23-2016 0 3	0	3
How to troubleshoot why splunkd isn't starting on one indexer in an indexer cluster? Hi all, I have an issue with one indexer in a clustered environment. It went down due to some server issue and the s... by kiran331 Builder in Getting Data In 05-23-2016 0 1	0	1

Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars Sometimes, you just need to see the code. For those looking for a ...

Getting Data In

If I configure a heavy forwarder to index and forward data, where is the indexed data stored and how do I access those events?

Why do I keep getting "INFO TailReader - File descriptor cache is full (100), trimming..." in the splunkd.log on a heavy forwarder?

Add index to default searched index in splunk light.

Why did our indexer stop receiving data from all forwarders last night with SSL error "certificate verify failed"?

replace self signed certificates on Splunk forwarder

Should we upgrade our universal forwarders from 4.3 to 6.4? Why?

overall splunk monitoring

How can we make sure the appropriate key-value pairs from different web application logs are indexed in Splunk?

How to configure props.conf to line break data in json format?

Why are only the first two lines of my CSV file getting indexed?

If we have multiple logs from various web applications with different key value pairs and different formats how can we extract different information from each type of log

Can a 6.3.3 standalone Search Head connect to a 6.4.1 indexer in an indexer cluster?

Does anyone have experience with how indexing latency affects accelerated data models and how to handle this?

Why does Splunk seem to have more than 90 days of data with our frozenTimePeriodInSecs setting?

Why am I still seeing data older than my frozenTimePeriodInSecs retention setting?

Why is the timezone for DNS logs from multiple regions not getting localized?

Data is currently indexed with past and future dates. How to configure Splunk to only index data using the System Date/Time?

How to measure the amount of data getting into Splunk heavy forwarders from a certain source?

How can a specific time period of logs be recovered from one Splunk indexer, then restored into another indexer?

Is Python the only supported language, or can I create a custom command or macro via Ruby?

Why is line breaking not working as expected for my XML data when I edit .conf files directly?

How to set default values for new sourcetypes?

crcSalt question - index all

Is there anyway to fetch the logs of Live HTTP/HTTPs traffic?

How to troubleshoot why splunkd isn't starting on one indexer in an indexer cluster?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

How to Integrate and ingest the audit logs of Cymu...

Clarity on metrics license usage and how the data ...

ServiceNow Technical Add-on for CMDB Pull

Bangalore Splunk Usergroup meeting(Dec 2025)

SC4S Syslog server update fails during download wi...

Getting Data In

Join the Conversation