Getting Data In

Thread Info

indows Event Security login filter at source not working for renderXml inputs

I am ingesting Windows Event Security login into Splunk using option “renderXml” and need to filter some EventCodes b...

by Splunk Employee in

Splunk unable to assign reasonable sourcetype to Solaris 10 BSM audit file that has been converted to ASCII

I am indexing a couple hundred Solaris 10 BSM audit files a day. The audit files are converted to ASCII. It handles t...

by Explorer in

Incorrect Timestamp

I have the following log and need splunk to grab the second timestamp instead of the first. I have tried adjusting pr...

by Communicator in

tsidx topologycruncy

Sifting through the discussions about tsidx files, I still find myself confused on how these populate. Currently on m...

by New Member in

WMI.Conf - Doesn't support Cron time?

Hi, So I have been doing some scripted input for WMI data and have discovered that Splunk has this functionality a...

by Champion in

unarchive_cmd and no indexed data

Hi, I have some binary files, which I pass through unarchive_cmd. My props.conf: [source::/apps/sms/*] NO_BI...

by Communicator in

Index multiple files in a folder without monitoring the directory

Is this possible? I can't find any information online on this. I want to avoid indexing the files on-by-one, as there...

by New Member in

Splunkのメッセージにカスタムメッセージを登録する方法

Splunkの画面右上にあるメッセージ部分に、独自のメッセージを登録する方法を教えて下さい。設定→ユーザーインターフェイス→掲示板メッセージからマニュアルで登録可能なのは理解してますが、プログラム的に、例えばアラートと組み...

by Splunk Employee in

Reduce size of index after amount of time

Hi, I'm currently looking if it possible to reduce the amount of data store in index after 6 months. Example: I'...

by Path Finder in

Why is our Splunk 6.3.2 forwarder locking itself out of a catalina.out archive file every morning?

Every morning the Splunk forwarder on our servers locks itself out of a file and consumes quite a bit of CPU churning...

by New Member in

Indexing odd multiline events

I've got a log file we're monitoring which outputs it's events in a strange format I'm struggling to index correctly....

by Contributor in

./splunk disable app SplunkUniversalForwarder --> How does this work?

Hi All, I have Splunk universal forwarder installed on my hosts. I want to disable this host from sending any data...

by Contributor in

Why are Splunk Forwarders "re-configuring" every 10 minutes according to event logs?

We noticed while investigating issues that the Splunk Forwarder is repeatedly "re-configuring" itself using the MSI p...

by Communicator in

Splunk 6, structuredparsing + nullQueue on UF for IIS

I've been Googling and searching through Splunkbase trying to find an example of using the new structuredparsing queu...

by Path Finder in

Splunk is truncating the last key/value pair on line if the value contains a space

We are ingesting Aruba CearPass logs. The ClearPass Appliances send their syslog to a syslog server that writes the l...

by Path Finder in

Splunk download corrupted

Splunk windows x64 download file splunk-4.3-115073-x64-release.msi is corrupted. Please upload again. Thanks.

by New Member in

Define custom sourcetype XML

I'm trying to define a custom sourcetype. I have one file with multiple XML files. For example MyFile.xml: <?xm...

by Engager in

How do I override source types in SplunkCloud

I know that I can override source types dynamically per event based on this documentation link here: (docs.splunk.com...

by Explorer in

Fetching data from webpage

Hi All, Is their way to fetch data from the webpage for lookup in splunk search. Please provide if we have any wor...

by Contributor in

How to make sure that the data forwarded is loading in the searchhead/indexer completely?

I have a forwarder installed on a server and I am extracting the data for indexes like Name,Class etc and while extra...

by Champion in

Splunk ingesting Yara Rules

Can Splunk natively ingest Yara rules? Our goal is to possibly have Splunk grab Yara rules from a directory, and have...

by New Member in

Json parsing - Failed to parse timestamp

I'm trying to parse the following json input. I'm getting the data correctly indexed but I am also getting a warning....

by Engager in

Can we process the timestamp in an event sent to the HTTP event collector?

The HTTP event collector supports an optional timestamp: { "time": "1426279439", "host": "localhost", ...

by Motivator in

How to configure multiple sourcetypes for a single monitored file?

Hi. I have a single very huge file with different formats. So I decided to create 3 different sourcetypes for thi...

by New Member in

How can i split a json array in mutiple events?

Hello Im trying to split a json Array into multiple Events in the props.conf Whats the best way to do this? He...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

indows Event Security login filter at source not working for renderXml inputs

Splunk unable to assign reasonable sourcetype to Solaris 10 BSM audit file that has been converted to ASCII

Incorrect Timestamp

tsidx topologycruncy

WMI.Conf - Doesn't support Cron time?

unarchive_cmd and no indexed data

Index multiple files in a folder without monitoring the directory

Splunkのメッセージにカスタムメッセージを登録する方法

Reduce size of index after amount of time

Why is our Splunk 6.3.2 forwarder locking itself out of a catalina.out archive file every morning?

Indexing odd multiline events

./splunk disable app SplunkUniversalForwarder --> How does this work?

Why are Splunk Forwarders "re-configuring" every 10 minutes according to event logs?

Splunk 6, structuredparsing + nullQueue on UF for IIS

Splunk is truncating the last key/value pair on line if the value contains a space

Splunk download corrupted

Define custom sourcetype XML

How do I override source types in SplunkCloud

Fetching data from webpage

How to make sure that the data forwarded is loading in the searchhead/indexer completely?

Splunk ingesting Yara Rules

Json parsing - Failed to parse timestamp

Can we process the timestamp in an event sent to the HTTP event collector?

How to configure multiple sourcetypes for a single monitored file?

How can i split a json array in mutiple events?

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions