Getting Data In

Thread Info

Should Splunk be barking back at this type of time stamp string? 2016/04/07T10:04:02.113[+0000] ? I can't tell if it meets the ISO standard.

Hello Splunkers, I have a timestamp below that does not seem to want to get recognized / converted properly by Spl...

by Communicator in

What is the order of precedence transforms are applied within a single props.conf stanza?

Given a couple transforms.conf stanzas that both operate on the host field (index-time manipulation), reading from th...

by SplunkTrust in

Two diffent indexes

Is it possible to send different logs on two different indexes [default] host = EDGE1 [script://$SPLUNK_HOME\bi...

by Path Finder in

How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Hi, I have installed Splunk Enterprise version locally and configured the below from Splunk Web. 1-forwarding host...

by Explorer in

If we plan to ingest roughly 10 GB of logs daily, how much extra data should I consider being added to indexing done by the Splunk server?

As we begin to plan out our deployment of Splunk, one thing is starting to puzzle me, and this is mostly a "should we...

by Explorer in

'Invalid Key in Stanza' errors being generated at startup for inputs.conf whitelist on a 6.1.4 Heavy Forwarder that docs say should work

Per these docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata I have changed from the old ...

by Motivator in

Is it possible to configure inputs.conf to forward events based on "Custom Views" in Microsoft Event Viewer?

Hi Splunk Community, Can one configure inputs.conf to forward events based on a "Custom Views" in Event Viewer? Sp...

by New Member in

Why are text input fields unexpectedly blank in custom alert action UI?

I am developing an add-on that adds a custom alert action. I've built a custom HTML fragment (as described in the cus...

by Explorer in

Is there a unique ID assigned to each forwarder to help me determine from which forwarder certain indexed data belongs to?

Hi, I have set up multiple forwarders sending events to a remote indexer. I am going to use the indexed data for f...

by Explorer in

ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

Team, In one of the Unix servers where SplunkForwarder is running, I have the below log in the splunkd.log file. O...

by New Member in

How do I get hosts (universal forwarders) show on the Splunk Light home page?

I have Splunk Light installed and set up on my server. I have the receiving port set. On the client I want Splunk Lig...

by New Member in

What is this 'Learned' file under apps?

I was just poking around to find out why my data had this strange sourcetype history-y2016-m06-d-10, and when I went ...

by Path Finder in

Why am I getting "Invalid key in stanza _server_app_APPNAME_ABC_CDE" with udp listener?

I have a similar, but not the same inconsistency issue with inputs.conf on distributed setup. I have udp listener ...

by Explorer in

How to setting splunk an architecture of 01 heavy forwarder, 01 search head and 01 indexer?

Hi guys! How to setting splunk an architecture of 01 heavy forwarder, 01 search head and 01 indexer? I need to co...

by Path Finder in

Can I override two keys in one transforms stanza?

My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor an...

by Contributor in

Can I forward some logs from Splunk Light Free to a third party syslog server?

Can Splunk Light Free forward some logs to a third party server? Ex. I have Splunk Light free monitoring some log ...

by Path Finder in

tarAndChecksum error for deployed app inputs.conf

Hi, I'm trying to send configuration through an app to one of my the universal forwarders. The app consists of an ...

by Path Finder in

Distributed Search Environment: Do accelerated data models reside on the indexer or search head?

I have an app with an accelerated data model. The data model is defined in a JSON file while the acceleration is enab...

by Builder in

How can i change the permissions of dynamically created Tags through REST API ?

Searched for answers, but couldn't figure it out. The closest answer was: how-to-change-sharing-and-permissions-for-a...

by Communicator in

How to get a default value and assign all values to "All" in a drop-down from a CSV file input?

Hi, I am getting 2 issues when I am creating a dashboard. I have 2 multiselect drop-downs. If I select a value...

by Communicator in

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server....

by Engager in

When I uploaded a document, I am getting the error "Parameter name: Path must be absolute". What could be the reason?

by New Member in

Indexer Tuning Best Practices: How to decide which apps or add-ons are not needed?

I want to clean up the indexers and remove unnecessary Apps that could be using up unnecessary CPU and memory. I have...

by Motivator in

I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

My Splunk setup is a UF sending to an indexer. That indexer is then forwarding everything to QRadar. When I look at t...

by Splunk Employee in

How to link fields with different names across sources?

I have two types of transactions, one coming from a mobile app when a push notification is sent, looks approx like th...

by Splunk Employee in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Should Splunk be barking back at this type of time stamp string? 2016/04/07T10:04:02.113[+0000] ? I can't tell if it meets the ISO standard.

What is the order of precedence transforms are applied within a single props.conf stanza?

Two diffent indexes

How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

If we plan to ingest roughly 10 GB of logs daily, how much extra data should I consider being added to indexing done by the Splunk server?

'Invalid Key in Stanza' errors being generated at startup for inputs.conf whitelist on a 6.1.4 Heavy Forwarder that docs say should work

Is it possible to configure inputs.conf to forward events based on "Custom Views" in Microsoft Event Viewer?

Why are text input fields unexpectedly blank in custom alert action UI?

Is there a unique ID assigned to each forwarder to help me determine from which forwarder certain indexed data belongs to?

ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

How do I get hosts (universal forwarders) show on the Splunk Light home page?

What is this 'Learned' file under apps?

Why am I getting "Invalid key in stanza _server_app_APPNAME_ABC_CDE" with udp listener?

How to setting splunk an architecture of 01 heavy forwarder, 01 search head and 01 indexer?

Can I override two keys in one transforms stanza?

Can I forward some logs from Splunk Light Free to a third party syslog server?

tarAndChecksum error for deployed app inputs.conf

Distributed Search Environment: Do accelerated data models reside on the indexer or search head?

How can i change the permissions of dynamically created Tags through REST API ?

How to get a default value and assign all values to "All" in a drop-down from a CSV file input?

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

When I uploaded a document, I am getting the error "Parameter name: Path must be absolute". What could be the reason?

Indexer Tuning Best Practices: How to decide which apps or add-ons are not needed?

I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

How to link fields with different names across sources?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025 🎉

Getting Data In

Are you a member of the Splunk Community?

Discussions