Getting Data In

Thread Info

When blacklisting by index name in outputs.conf, what is the variable 'n' in "forwardedindex.n.blacklist = IndexName"?

I see a lot of documentation for black listing by index name in outputs.conf, but I am a bit confused as to the varia...

by Contributor in

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

I've read through a number of answers, but none quite gives what I want. I have daily tests that run and my dashb...

by SplunkTrust in

Is it expected behavior for Hunk to delete files as they age from the dispatch directory used for MapReduce?

We are using Hunk with MapR. There is a dispatch directory that Hunk uses for the reduce of the map reduce. /mapr/tmp...

by Splunk Employee in

Does an intermediate forwarder need to be a heavy forwarder, or can a universal forwarder be used?

I am interested in forwarding syslog and Windows events from a DMZ to Indexers which reside inside our network. We ar...

by Path Finder in

How do you group field values based upon user, and then filter users that have only one type of value?

Each user can have two values of type: movement and check-in. There are some users that only have movement and never ...

by New Member in

How to set up an environment with an indexer on one machine and a search head on another?

Dears, May I know please if it's possible to have a setup in which I will have only two machines: one of them will...

by Explorer in

Missing Netflow from Cisco ASA5505

All, The documentation is scattered in various places and not one place. Help. This should be simple and not hard to ...

by New Member in

How to route locally indexed events (from the perspective of an indexer) to another environment?

All -- I'm seeking any advice I can get at this point. A little background. I manage two different user communitie...

by Path Finder in

How to search a list of forwarders and what indexes they are sending data to?

How to search a list of forwarders sending data to a single index or multiple indexes? ie: forwarder (A) sending t...

by New Member in

Why does fullEvent=true not working in my fschange config in inputs.conf?

I need to monitor file changes and I want to know which changes were made. inputs.conf [fschange:///etc/passwd...

by Path Finder in

How do I filter data with upper case and lower case sensitive scenarios?

Is there a way to restrict this search with upper case and lower case scenarios? index=aap_prod sourcetype="HDP:PR...

by Communicator in

Why does my Splunk indexer keep running out of space with my current indexes.conf?

The indexer pauses indexing when free space goes under 5GB on the main partition. This is caused by too many warm buc...

by Communicator in

What is the best practice for configuring a Splunk Forwarder 5.0.3 for custom fields to be appended to the source?

Hi all, I'm looking to add some custom fields to the Splunk Forwarder, but am struggling to find the a way of achi...

by Engager in

How to remove and prevent error "minimum free disk space (5000MB) reached for /var/run/splunk/dispatch" on my heavy forwarder?

I keep getting the "minimum free disk space (5000MB) reached for /var/run/splunk/dispatch" on one of my heavy forward...

by Contributor in

Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Hi , We are about to reach the maximum size of the disk on our Indexer server. Please suggest if there is any way ...

by Path Finder in

How to route data to certain indexes based on host, sourcetype, and index?

Hi. I have a requirement to route events to index based on the fields host, sourcetype, and index. Field host ...

by Explorer in

How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

We are wanting to modify our Splunk forwarders on workstations to look at other log files and I am curious how to go ...

by New Member in

Can I enable SSL for a universal forwarder (public IP), but not for a local universal forwarder (private IP)?

Hi, Can I enable the SSL for the universal forwarder that will access it through the public ip, but not the forwar...

by New Member in

Why is the monit process sometimes restarting

I have Linux servers with Splunk, and the process monit to check my processed. But sometimes I see an issue where ...

by Communicator in

Total number of indexed volume per day

Hi, Currently I have a splunk server receiving logs from few servers. I will like to do a search that is schedu...

by Path Finder in

If an identical input is specified in inputs.conf for multiple apps on a universal forwarder, will this result in duplicate data?

If an input is specified identically in the inputs.conf file of multiple apps running on a Universal forwarder, will ...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

When blacklisting by index name in outputs.conf, what is the variable 'n' in "forwardedindex.n.blacklist = IndexName"?

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

Is it expected behavior for Hunk to delete files as they age from the dispatch directory used for MapReduce?

Does an intermediate forwarder need to be a heavy forwarder, or can a universal forwarder be used?

How do you group field values based upon user, and then filter users that have only one type of value?

How to set up an environment with an indexer on one machine and a search head on another?

Missing Netflow from Cisco ASA5505

How to route locally indexed events (from the perspective of an indexer) to another environment?

How to search a list of forwarders and what indexes they are sending data to?

Why does fullEvent=true not working in my fschange config in inputs.conf?

How do I filter data with upper case and lower case sensitive scenarios?

Why does my Splunk indexer keep running out of space with my current indexes.conf?

What is the best practice for configuring a Splunk Forwarder 5.0.3 for custom fields to be appended to the source?

How to remove and prevent error "minimum free disk space (5000MB) reached for /var/run/splunk/dispatch" on my heavy forwarder?

Is there a way to delete data on an indexer from Splunk Web to free up disk space?

How to route data to certain indexes based on host, sourcetype, and index?

How do I set up a Splunk forwarder to monitor and forward log files within a certain path?

Can I enable SSL for a universal forwarder (public IP), but not for a local universal forwarder (private IP)?

Why is the monit process sometimes restarting

Total number of indexed volume per day

If an identical input is specified in inputs.conf for multiple apps on a universal forwarder, will this result in duplicate data?

How to filter Windows Security events by changing inputs conf

How to use inputlookup to filter

Does Splunk process events before sending to nullqueue?

What are recommended specs for a virtual host for our multisite sandbox environment?

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

How to add 2 separate filters to a single _raw spl...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

Getting Data In

Are you a member of the Splunk Community?

Discussions