Getting Data In

Community Activity

Splunk Universal Forwarder and TCP Data: What exactly is Splunk looking for to determine EOF? According to the doc here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Setuploadbalancingd Importa... by tsunamii Path Finder in Getting Data In 04-27-2016 3 4	3	4
Can anyone provide guidance on my plan to configure cold storage in indexes.conf? So, I got the 150TB cold, but they are mounted into /mnt/splunk1/cold and /mnt/splunk2/cold. I figured that may caus... by ccsfdave Builder in Getting Data In 04-26-2016 0 2	0	2
How to configure inputs.conf on a Splunk forwarder to only read a file once? Hello, Is there a way to tell the Splunk forwarder not to keep monitoring a file after it's been indexed once? We ar... by echalex Builder in Getting Data In 04-26-2016 1 5	1	5
Why does monitoring for a log file keep stopping and getting error "BatchReader - Removed from queue..."? Hello I have a monitor on a log file that is continuously written to. It seems that the monitor keeps stopping and t... by tkwaller Builder in Getting Data In 04-26-2016 0 5	0	5
How to configure file monitoring to make the full content of a file as one event? I have Login files in a folder that are overwritten each time a person logs in. I would like to read in the entire f... by hartfoml Motivator in Getting Data In 04-26-2016 0 12	0	12
How to configure transforms.conf on a heavy forwarder to combine sourcetype and host into one host key? I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output). ... by ehudb Contributor in Getting Data In 04-26-2016 0 2	0	2
Why were logs indexed at a time when Splunk was not running on the host? Splunk was running on the time period 00:00 07:00. and stopped at 07:00, but few logs were captured at the time 08:15... by Madhan45 Path Finder in Getting Data In 04-26-2016 0 1	0	1
Should we install universal forwarders at each of our branch locations to forward data directly to Splunk Cloud? We are looking at leveraging Splunk Cloud and we have branch locations all over the country in which we will need to ... by roacha New Member in Getting Data In 04-25-2016 0 2	0	2
How do we calculate the RAM usage by applications on different servers? I am trying to figure out how much RAM an app on a Windows server is consuming for a given index. by PreetiKa Engager in Getting Data In 04-25-2016 0 2	0	2
How to configure Splunk to only index data from a database from the last 30 days? I have a database that stores proxy info which I want to index. The problem is that there is way too much data and I ... by singhh4 Path Finder in Getting Data In 04-25-2016 0 1	0	1
Why does splunk think it can't parse my timestamp I am seeing some odd behavior. My setup is this: Splunk 6.3.1 Enterprise, 1 search head, 4 indexers, 1 forwarder Pl... by lyndac Contributor in Getting Data In 04-25-2016 0 5	0	5
How to search duration using two timestamps? Hi, We need to find duration between timestamps and the format looks like below. max_time=1461593558.000 min _time... by splunker9999 Path Finder in Getting Data In 04-25-2016 0 5	0	5
Why can't Splunk index my entire log file? I am trying to index a somewhat long log file (about 38805 bytes according to the tailing processor). This log file c... by chustar Path Finder in Getting Data In 04-25-2016 0 7	0	7
Monitoring directory loaded with LFTP Mirror causes reindexing. How should I solve this? I'm using Splunk 6.3.2 with a simple monitor stanza in inputs.conf that watches all the *.txt files in a particular d... by polfer Explorer in Getting Data In 04-25-2016 0 5	0	5
How to configure a heavy forwarder to filter out the ending string from Windows security event logs? Hello guys I'm trying to drop the end of all Security events: This event is generated when a logon session is creat... by kalianov Path Finder in Getting Data In 04-25-2016 0 5	0	5
Splunk Reindexes File that gets a new first line when closed Hello, My problem is simple to explain: I have an app that generates logs that are written whenever a new action is ... by TiagoMatos Path Finder in Getting Data In 04-24-2016 0 31	0	31
Why are IIS logs not being indexed from Windows Share? I have a universal forwarder (6.3.3 x64) installed on Windows Server 2012 R2 that is supposed to index IIS logs that ... by seanbarbour New Member in Getting Data In 04-24-2016 0 3	0	3
How to split a TCP input on STX/ETX (0x02/0x03), no line breaks, into separate events? Hello, I'm trying to accept TCP input from a device which wraps each transmission into STX/ETX pair (ASCII 002/003), ... by arkadyz1 Builder in Getting Data In 04-22-2016 0 13	0	13
get source files not updated in last 1 hour I want to get source files not updated in last 1 hour in specific host. Like in host java123 there are 2 logs /logs/a... by nani2rahul New Member in Getting Data In 04-22-2016 0 1	0	1
Hourly CPU spike on indexers Hey, Is there some internal scheduled event on an indexer than runs every hour? We're seeing our average CPU go fro... by Kindred Path Finder in Getting Data In 04-22-2016 0 9	0	9
Why is the Splunk Python SDK not returning formatted numbers in the JSON response? Splunk Python SDK does not return formatted numbers in the JSON response. Example: \|eval var1=tonumber(var2)\| table... by lpolo Motivator in Getting Data In 04-22-2016 0 2	0	2
universal forwarder on windows: installation directory must be on a local hard drive I've installed the universal forwarder on two of my domain controllers without issue. For some reason, on the remain... by vistek New Member in Getting Data In 04-22-2016 0 5	0	5
Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields? Splunk inherently has host and source fields to log the host (forwarder) and source (log file) for each event. Howeve... by thisissplunk Builder in Getting Data In 04-21-2016 0 4	0	4
setup.xml: still magic for beginners - how can I realize an "I agree" confirmation? we have two problems with setting up a setup.xml file: 1) actually we want to use the setup.xml file to just infor... by DrFedtke Explorer in Getting Data In 04-21-2016 3 1	3	1
Is there a parser that will convert Windows SDDL or ACE format strings into human readable content? Hi, Is anyone aware of an existing parser that will convert windows SDDL format or ACE format strings into human re... by javiergn Super Champion in Getting Data In 04-21-2016 0 1	0	1

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Getting Data In

Splunk Universal Forwarder and TCP Data: What exactly is Splunk looking for to determine EOF?

Can anyone provide guidance on my plan to configure cold storage in indexes.conf?

How to configure inputs.conf on a Splunk forwarder to only read a file once?

Why does monitoring for a log file keep stopping and getting error "BatchReader - Removed from queue..."?

How to configure file monitoring to make the full content of a file as one event?

How to configure transforms.conf on a heavy forwarder to combine sourcetype and host into one host key?

Why were logs indexed at a time when Splunk was not running on the host?

Should we install universal forwarders at each of our branch locations to forward data directly to Splunk Cloud?

How do we calculate the RAM usage by applications on different servers?

How to configure Splunk to only index data from a database from the last 30 days?

Why does splunk think it can't parse my timestamp

How to search duration using two timestamps?

Why can't Splunk index my entire log file?

Monitoring directory loaded with LFTP Mirror causes reindexing. How should I solve this?

How to configure a heavy forwarder to filter out the ending string from Windows security event logs?

Splunk Reindexes File that gets a new first line when closed

Why are IIS logs not being indexed from Windows Share?

How to split a TCP input on STX/ETX (0x02/0x03), no line breaks, into separate events?

get source files not updated in last 1 hour

Hourly CPU spike on indexers

Why is the Splunk Python SDK not returning formatted numbers in the JSON response?

universal forwarder on windows: installation directory must be on a local hard drive

Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

setup.xml: still magic for beginners - how can I realize an "I agree" confirmation?

Is there a parser that will convert Windows SDDL or ACE format strings into human readable content?

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

SC4S postfilter not dropping Fortigate east-west t...

Transilience AI threat intel feed integration

How to integrate threat armor with splunk?

How to integrate Google Cloud armor with splunk?

How to Integrate Iraje PAM with splunk? Is there a...

Getting Data In

Join the Conversation