Getting Data In

Thread Info

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

Currently, I have a combined instance where the search head and indexer are sitting on the same box. The documentatio...

by New Member in

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events ful...

by New Member in

How to to troubleshoot why my logs are getting truncated?

Hi, I am facing an issue where logs are getting truncated, even though I have set TRUNCATE and MAX_EVENTS to very ...

by New Member in

Unable to run curl command in Production which has vip enabled

Hi, I am trying to run a saved search using curl command. This works fine in lower environment but does not work i...

by Contributor in

How do I forward the same data to two different servers?

We're prepping for a migration, so what I want is the exact same data going to OldServer and NewServer Here's what...

by Path Finder in

windows logs

Hello everybody, I am really newbie @splunk. please bare with me I downloaded windows app. I am trying to configur...

by Engager in

Why can deleted events reappear?

Hi, we're experiencing that deleted events reappear and are searchable again. It seems to happen randomly from tim...

by Motivator in

Why are no events being indexed for files being monitored on a universal forwarder?

Hi, I am trying to enable file monitoring using a Splunk universal forwarder, but not able to see any events gener...

by Builder in

Is it necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files?

Is it necessary to install the universal forwarder on a Splunk indexer so that it can index its own information?

by New Member in

How to search the average duration of REST API calls taken by each host and average elapsed CPU time?

2015-08-13 22:23:10,530 UNKNOWN_USER [WebContainer : 9] INFO - End : Duration= 000322 CPU...

by Engager in

How do I route events into different indexes based on event type?

I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ...

by Communicator in

Why is a deleted sourcetype still getting indexed?

I have removed a sourcetype from my inputs.conf [monitor:///data01/.../current/logs/*.log] disabled = 0 sourcetype...

by Contributor in

If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp?

My log file looks like below. I need Splunk to ID the time_of_stop time -- instead of the the time included with the ...

by Splunk Employee in

CSV File Issues

Hello, I am having issues with csv files imported from an S3 bucket. The files get imported and indexed fine however ...

by New Member in

After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer?

Recently, I noticed that the disk on one of my Indexers was nearly full. Currently, all event data is going into the ...

by Path Finder in

Why am I unable to index a file if the size is too small? Is there a minimum file size setting?

Hi Friends, I am facing an issue where SPLUNK does not index a file if the size is too low. The file sits in a UNC...

by Path Finder in

How do I configure custom sourcetypes on Universal Forwarders and Indexers?

I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates d...

by Explorer in

How does the number of forwarder connections to an indexer impact search and indexing performance?

I want to know how does the number of connections to an indexer impact the search and indexing performance (e.g.: how...

by Contributor in

Is there going to be an app to pull data from Microsoft's recently released Office 365 Management Activity API?

Microsoft recently released their Management Activity API. It’s supposed to be similar to the Box API where you can r...

by Explorer in

I want to create a sourcetype in the sourcetype manager, but why does it say "sourcetype already exists"?

I want to create the sourcetype AAA, that is not listed on the sourcetype manager. But when I go to settings > sourc...

by Communicator in

How to troubleshoot why some monitored files in Windows directories not getting indexed?

Hi, I have a number of directories with files that have numerous files that need to be monitored. Splunk is not pi...

by Champion in

Best practices when migrating a Windows search head to new physical hardware in an indexer clustering environment?

I suppose this is a multi-question post. We have a clustered environment and are replacing the hardware our search...

by Contributor in

How do I configure Splunk to break events properly based on my sample data?

I have the below sample data and I want to break the events at the request message qualifier field Request Message...

by Builder in

Is it best practice to use a Deployment Server to deploy configurations to non-clustered search peers (indexers)?

Dear All, I have a Search Head and Two non-clustered indexers (search peers) and I am architecting the system to i...

by Communicator in

How can I download or print the Install Guide for the Box App for Splunk?

I don't see a way to download or print the guide. There is no print button. Can't print from the browser either. Ther...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

How to to troubleshoot why my logs are getting truncated?

Unable to run curl command in Production which has vip enabled

How do I forward the same data to two different servers?

windows logs

Why can deleted events reappear?

Why are no events being indexed for files being monitored on a universal forwarder?

Is it necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files?

How to search the average duration of REST API calls taken by each host and average elapsed CPU time?

How do I route events into different indexes based on event type?

Why is a deleted sourcetype still getting indexed?

If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp?

CSV File Issues

After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer?

Why am I unable to index a file if the size is too small? Is there a minimum file size setting?

How do I configure custom sourcetypes on Universal Forwarders and Indexers?

How does the number of forwarder connections to an indexer impact search and indexing performance?

Is there going to be an app to pull data from Microsoft's recently released Office 365 Management Activity API?

I want to create a sourcetype in the sourcetype manager, but why does it say "sourcetype already exists"?

How to troubleshoot why some monitored files in Windows directories not getting indexed?

Best practices when migrating a Windows search head to new physical hardware in an indexer clustering environment?

How do I configure Splunk to break events properly based on my sample data?

Is it best practice to use a Deployment Server to deploy configurations to non-clustered search peers (indexers)?

How can I download or print the Install Guide for the Box App for Splunk?

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

Announcing the Expansion of the Splunk Academic Alliance Program

Palo alto Strata logging service logs

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?