Getting Data In

Thread Info

Why am I not able to exclude events from getting indexed with my current props and transforms.conf?

Not able to exclude events from indexing on Splunk Enterprise Free version. Can anyone help me out here? Sample da...

by Explorer in

How to route data from forwarders to separate indexes based on the source field when data is coming from single TCP port?

I have log data from multiple sources coming into a single TCP port in JSON format as below: <01>- hostname {"name...

by Contributor in

How to create or update KV Store via REST endpoints?

Hello, I want to fill my KVStore with information from a script. The script adds data via a REST Endpoint to the K...

by Path Finder in

What is the best architecture for a huge amount of syslog data ?

Hi splunkers, I'm think about the best architecture for a huge amount of syslog data. At first, I used rsyslog in ...

by Contributor in

forwarder monitor a log file but only get "splunk-cooked-mode-v3"?

Hi All, I installed a splunk server and 4 splunk forwarder, and add monitor for an always updating file. But I...

by Engager in

Need to hard code host reported by Universal Forwarder

Hello, We are currently in the process of moving some of our hosts from Solaris to Windows. These hosts are part o...

by Explorer in

Can you have a wildcard in a props.conf stanza header when matching sourcetypes?

I have some settings that I want to apply to several sourcetypes with similar names. Can I do something like this in ...

by Path Finder in

How to set and configure the sourcetype to format events written to Splunk's HTTP event collector?

I'm having issues when writing events to Splunk's HTTP event collector. We have a good amount of existing queries tha...

by Explorer in

How to properly use summary indexing for sensor data in a large-scale deployment?

This is more of a question about the "right" way of doing things versus what is possible. I want to know if there ...

by Champion in

How many log sources can be received and forwarded from a universal forwarder?

Hi users, Probably a bit silly question, but because I've never seen that setup in any of Google searches, I have ...

by Communicator in

Why do the results exported to CSV not match total number of events?

Hi , I have a search without any statistic/transformation command like index=abc earliest=-7d. I am getting follow...

by Path Finder in

Retention Issue: Why is data getting rolled to frozen before hitting the frozenTimePeriodInSecs setting?

Hello, we are currently having some issues with an index. Basically we have configured the following in the related i...

by Communicator in

How to delete logs in a tsidx index?

Hi at all, I installed Splunk App for BlueCoat. I loaded some test data and now I have to delete them before loadi...

by SplunkTrust in

After modifying the timezone in props.conf, why has the _time field not changed?

I've got a variety of customers sending data in to our Splunk indexer. One particular customer has all of their serve...

by Contributor in

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitori...

by New Member in

After configuring an automatic lookup in props.conf, why is this now taking precedence over another stanza with the same sourcetype?

Hello all, Hoping someone could help clarify and hopefully help figure out an issue I've run into. I created an au...

by New Member in

Is it possible to rsync an indexer's colddb while the indexer is still running the Splunk service?

Is it possible to rsync an indexer's colddb which resides on an NFS export from that network location to another netw...

by Builder in

Why is my Distributed Management Console trying to push a bundle to a newly added search peer which happens to be a standalone indexer?

I have a single Distributed Management Console which I have monitoring separated regional indexers like so.... ...

by Motivator in

What is the equivilant method of Input lookup using Splunk 6.3 SDK Javascript API

Hi , I am creating a new dashboard in html and javascript , I have not downloaded the Splunk 6.3 SDK JavaScript y...

by Explorer in

How to configure props.conf to parse XML on NetScan reports?

Hey Friends I'm having a lot of issues importing an XML file to my Splunk Enterprise. Actually, I'm a new user to ...

by Engager in

Set token in the value of another token?

Hello, I'm looking for a possibility to use one token $token2$ as part of the value of another token. For example ...

by Communicator in

How to collect the requests and responses exchanged between website and webserver in Splunk Light?

HI team, I am very new to Splunk and I have already installed Splunk Light on my machine. I would like to see the ...

by New Member in

After upgrading a Windows forwarder from Splunk 6.x to 6.3.2, why is the description/message getting cut off for Windows event log data?

Seeing this weird problem after upgrading a forwarder on a Windows server from 5.x to 6.3.2 After the upgrade, the...

by Communicator in

How to search the total number of business hours of an event from a csv file?

HI, I have a file called file1.csv whose fields are start_time,close_time start_time close_time 22/08/2014 3:00:0...

by Path Finder in

How can I increase the interval of time between the arrival of events for proper line breaking?

Hi Splunkers, Considering delayed syslog data, I have tried the following scripts which output messages to the mon...

by Contributor in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Why am I not able to exclude events from getting indexed with my current props and transforms.conf?

How to route data from forwarders to separate indexes based on the source field when data is coming from single TCP port?

How to create or update KV Store via REST endpoints?

What is the best architecture for a huge amount of syslog data ?

forwarder monitor a log file but only get "splunk-cooked-mode-v3"?

Need to hard code host reported by Universal Forwarder

Can you have a wildcard in a props.conf stanza header when matching sourcetypes?

How to set and configure the sourcetype to format events written to Splunk's HTTP event collector?

How to properly use summary indexing for sensor data in a large-scale deployment?

How many log sources can be received and forwarded from a universal forwarder?

Why do the results exported to CSV not match total number of events?

Retention Issue: Why is data getting rolled to frozen before hitting the frozenTimePeriodInSecs setting?

How to delete logs in a tsidx index?

After modifying the timezone in props.conf, why has the _time field not changed?

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

After configuring an automatic lookup in props.conf, why is this now taking precedence over another stanza with the same sourcetype?

Is it possible to rsync an indexer's colddb while the indexer is still running the Splunk service?

Why is my Distributed Management Console trying to push a bundle to a newly added search peer which happens to be a standalone indexer?

What is the equivilant method of Input lookup using Splunk 6.3 SDK Javascript API

How to configure props.conf to parse XML on NetScan reports?

Set token in the value of another token?

How to collect the requests and responses exchanged between website and webserver in Splunk Light?

After upgrading a Windows forwarder from Splunk 6.x to 6.3.2, why is the description/message getting cut off for Windows event log data?

How to search the total number of business hours of an event from a csv file?

How can I increase the interval of time between the arrival of events for proper line breaking?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025 🎉

Getting Data In

Are you a member of the Splunk Community?

Discussions