Getting Data In

Thread Info

Get top 20 countries from Cisco ASA events

Hi, I am searching my Cisco ASA logs to count where an IP originates from by country. It looks like this: ev...

by New Member in

Why is Splunk not automatically recognizing timestamp of my logs correctly and how do I fix this?

Hi, I have a folder with 21 logs, all different types, but with the exact same format. The event types are differe...

by New Member in

How to modify the source field to match normal splunk file location

We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. ...

by Path Finder in

Is there a way to configure Splunk to parse a sourcetype with mixed data types?

All, I have a log file which is largely key value, with some random human readable language tossed in. Recent upg...

by Builder in

How to update a bunch of forwarders that already use non-SSL to use SSL

Hi, I have a bunch (~100) of forwarders that are using Splunk, but my customer has asked me to enable SSL. I know ...

by Champion in

How do I configure props.conf using my sample data for proper line breaking based on time?

Sample log extract below: Splunk reads the log as one event and takes the pricing date: 2/3/2016 as the actual dat...

by New Member in

Shell Script to Check if Multiple Servers are Correctly Forwarding Data

Hi all, I have a list of servers in a text file "servers.txt." I am trying to create a shell script that will s...

by Path Finder in

Where should I run my report that populates a summary index?

Hi all, I've got a simple search and filter that gets piped into the collect command to create a Summary index. I'...

by Path Finder in

Where to re-define a sourcetype when accidentally set wrong in inputs.conf

Hi, I have set a inputs.conf stanza on my indexer that looks like this. [tcp://10.X.X.X:1500] disabled = false...

by Motivator in

How can I get the response time for the Web Service ?

Hello, I want keep a track on the response each of my service takes while in a message flow in IIB. Please tell me...

by New Member in

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

Currently, I have a combined instance where the search head and indexer are sitting on the same box. The documentatio...

by New Member in

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events ful...

by New Member in

How to to troubleshoot why my logs are getting truncated?

Hi, I am facing an issue where logs are getting truncated, even though I have set TRUNCATE and MAX_EVENTS to very ...

by New Member in

Unable to run curl command in Production which has vip enabled

Hi, I am trying to run a saved search using curl command. This works fine in lower environment but does not work i...

by Contributor in

How do I forward the same data to two different servers?

We're prepping for a migration, so what I want is the exact same data going to OldServer and NewServer Here's what...

by Path Finder in

windows logs

Hello everybody, I am really newbie @splunk. please bare with me I downloaded windows app. I am trying to configur...

by Engager in

Why can deleted events reappear?

Hi, we're experiencing that deleted events reappear and are searchable again. It seems to happen randomly from tim...

by Motivator in

Why are no events being indexed for files being monitored on a universal forwarder?

Hi, I am trying to enable file monitoring using a Splunk universal forwarder, but not able to see any events gener...

by Builder in

Is it necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files?

Is it necessary to install the universal forwarder on a Splunk indexer so that it can index its own information?

by New Member in

How to search the average duration of REST API calls taken by each host and average elapsed CPU time?

2015-08-13 22:23:10,530 UNKNOWN_USER [WebContainer : 9] INFO - End : Duration= 000322 CPU...

by Engager in

How do I route events into different indexes based on event type?

I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ...

by Communicator in

Why is a deleted sourcetype still getting indexed?

I have removed a sourcetype from my inputs.conf [monitor:///data01/.../current/logs/*.log] disabled = 0 sourcetype...

by Contributor in

If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp?

My log file looks like below. I need Splunk to ID the time_of_stop time -- instead of the the time included with the ...

by Splunk Employee in

CSV File Issues

Hello, I am having issues with csv files imported from an S3 bucket. The files get imported and indexed fine however ...

by New Member in

After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer?

Recently, I noticed that the disk on one of my Indexers was nearly full. Currently, all event data is going into the ...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Get top 20 countries from Cisco ASA events

Why is Splunk not automatically recognizing timestamp of my logs correctly and how do I fix this?

How to modify the source field to match normal splunk file location

Is there a way to configure Splunk to parse a sourcetype with mixed data types?

How to update a bunch of forwarders that already use non-SSL to use SSL

How do I configure props.conf using my sample data for proper line breaking based on time?

Shell Script to Check if Multiple Servers are Correctly Forwarding Data

Where should I run my report that populates a summary index?

Where to re-define a sourcetype when accidentally set wrong in inputs.conf

How can I get the response time for the Web Service ?

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

How to to troubleshoot why my logs are getting truncated?

Unable to run curl command in Production which has vip enabled

How do I forward the same data to two different servers?

windows logs

Why can deleted events reappear?

Why are no events being indexed for files being monitored on a universal forwarder?

Is it necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files?

How to search the average duration of REST API calls taken by each host and average elapsed CPU time?

How do I route events into different indexes based on event type?

Why is a deleted sourcetype still getting indexed?

If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp?

CSV File Issues

After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions