Getting Data In

Thread Info

what format should timestamp be in for starttime?

Regarding starttime from the docs starttime starttime=<timestamp> Search from the specified date and time to the p...

by Motivator in

How to map a sourcetype based on the values in the event?

Hi, I have some nicely defined logfiles, with all key-value pair entries. We'd like to create dynamic sourcetypes,...

by Champion in

Why is Indexer Discovery on a Splunk 6.3.3 universal forwarder failing with http_response=Unauthorized?

We followed the documentation as specified, but when we configure the universal forwarders as specified we get the er...

by Path Finder in

What is the proper way to remove forwarders and all data associated with their index in an indexer clustering environment?

We're wondering what is the proper way to remove a list of forwarders from a cluster and all the data associated with...

by Ultra Champion in

Monitoring Windows Updates from Splunk

Hello, Is there a way to monitor windows updates from Splunk? I have a VBScript that queries a remote machine for ...

by Communicator in

How to troubleshoot why inputs.conf from a deployed app is not properly applied to a Universal Forwarder (Win7)?

Hi, At the moment I am testing Splunk at work. So far, I only have a single Splunk Enterprise instance (acting as ...

by Explorer in

How to configure a universal forwarder to add multiple fields to events being forwarded via _meta?

We're trying to find a way to have the universal forwarder send data to the indexer essentially pre-marked with a sma...

by Path Finder in

How to implement tagging on a universal forwarder to categorize data so we can filter our searches?

I'm totally lost trying to decipher the impossibly dense abstract documentation here. I need to do something that I'd...

by Path Finder in

How will Splunk respond if a cold database path is not present when data is going to be rolled from warm to cold?

hi folks, We have an issue with our cold database filesystem and the estimate to bring it back is around 10 days. ...

by Super Champion in

How to enable deployment server functionality on a universal forwarder?

Hi, Could anyone please tell me that what is needed on the universal forwarder side to enable deployment server fu...

by Communicator in

Why am I getting indexer error "EAIOutParameters - invalid entry title in toAtom(): INDEXER_MISSING_INDEX-\x00\x00j\x00fre"?

I have the following error message appearing every ~3 seconds. My searches have not yielded anyone who has this issue...

by Communicator in

Hostname in file monitoring of syslog

Hi, I have Splunk monitoring a Kiwi log files of syslog data. The problem I am having is the the source of the da...

by Engager in

How to install Splunk forwarders on AWS EC2 instances?

I have Splunk Enterprise on an AWS EC2 Server, and need to install forwarders on two other EC2 Instances. Can someone...

by Engager in

Can Splunk do filtering based on the index name rather than source or sourcetype?

We have a condition where we need to filter out data based on the byte count in the log. We have collapsed the source...

by Path Finder in

How to deploy a Splunk environment to monitor switches, routers, and database servers within our local area network?

Hi, I would like to know the environment to install in case I use Splunk Enterprise (Trial version). I just want t...

by Path Finder in

What is a good way to compare all the VMs in a VMware vSphere with all of the universal forwarders I have installed?

First off, let me say that we do not have plans to purchase the VMware app. I would like to be able to identify an...

by Motivator in

When blacklisting by index name in outputs.conf, what is the variable 'n' in "forwardedindex.n.blacklist = IndexName"?

I see a lot of documentation for black listing by index name in outputs.conf, but I am a bit confused as to the varia...

by Contributor in

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

I've read through a number of answers, but none quite gives what I want. I have daily tests that run and my dashb...

by SplunkTrust in

Is it expected behavior for Hunk to delete files as they age from the dispatch directory used for MapReduce?

We are using Hunk with MapR. There is a dispatch directory that Hunk uses for the reduce of the map reduce. /mapr/tmp...

by Splunk Employee in

Does an intermediate forwarder need to be a heavy forwarder, or can a universal forwarder be used?

I am interested in forwarding syslog and Windows events from a DMZ to Indexers which reside inside our network. We ar...

by Path Finder in

How do you group field values based upon user, and then filter users that have only one type of value?

Each user can have two values of type: movement and check-in. There are some users that only have movement and never ...

by New Member in

How to set up an environment with an indexer on one machine and a search head on another?

Dears, May I know please if it's possible to have a setup in which I will have only two machines: one of them will...

by Explorer in

Missing Netflow from Cisco ASA5505

All, The documentation is scattered in various places and not one place. Help. This should be simple and not hard to ...

by New Member in

How to route locally indexed events (from the perspective of an indexer) to another environment?

All -- I'm seeking any advice I can get at this point. A little background. I manage two different user communitie...

by Path Finder in

How to search a list of forwarders and what indexes they are sending data to?

How to search a list of forwarders sending data to a single index or multiple indexes? ie: forwarder (A) sending t...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

what format should timestamp be in for starttime?

How to map a sourcetype based on the values in the event?

Why is Indexer Discovery on a Splunk 6.3.3 universal forwarder failing with http_response=Unauthorized?

What is the proper way to remove forwarders and all data associated with their index in an indexer clustering environment?

Monitoring Windows Updates from Splunk

How to troubleshoot why inputs.conf from a deployed app is not properly applied to a Universal Forwarder (Win7)?

How to configure a universal forwarder to add multiple fields to events being forwarded via _meta?

How to implement tagging on a universal forwarder to categorize data so we can filter our searches?

How will Splunk respond if a cold database path is not present when data is going to be rolled from warm to cold?

How to enable deployment server functionality on a universal forwarder?

Why am I getting indexer error "EAIOutParameters - invalid entry title in toAtom(): INDEXER_MISSING_INDEX-\x00\x00j\x00fre"?

Hostname in file monitoring of syslog

How to install Splunk forwarders on AWS EC2 instances?

Can Splunk do filtering based on the index name rather than source or sourcetype?

How to deploy a Splunk environment to monitor switches, routers, and database servers within our local area network?

What is a good way to compare all the VMs in a VMware vSphere with all of the universal forwarders I have installed?

When blacklisting by index name in outputs.conf, what is the variable 'n' in "forwardedindex.n.blacklist = IndexName"?

How to set earliest and latest for the time range in a dashboard from the earliest and latest event timestamps?

Is it expected behavior for Hunk to delete files as they age from the dispatch directory used for MapReduce?

Does an intermediate forwarder need to be a heavy forwarder, or can a universal forwarder be used?

How do you group field values based upon user, and then filter users that have only one type of value?

How to set up an environment with an indexer on one machine and a search head on another?

Missing Netflow from Cisco ASA5505

How to route locally indexed events (from the perspective of an indexer) to another environment?

How to search a list of forwarders and what indexes they are sending data to?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

How to handle multiline events from k8s via opente...

Power Platform audit logs

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Getting Data In

Are you a member of the Splunk Community?

Discussions