Getting Data In

Thread Info

How to process json array data inside an event

I have the following json array within an event: backupUsage: [ [-] { [-] archiveBytes: 813327...

by Path Finder in

How to troubleshoot the disk space issues on a Splunk indexer?

I need to know the step by step procedure to troubleshoot the disk space issues on an indexer.

by Explorer in

Why are my headers being indexed from my csv file?

I am trying to do a simple monitor data input of a csv file with the following format: Id,User,Action,_time,Comme...

by Contributor in

How to configure Splunk to keep _internal data longer than 30 days?

For some reason _internal is only available for the last 30 days even though it has not reached its max size limit st...

by Path Finder in

日本語の Windows OS で diagコマンドを実行した際に、UnicodeDecodeErrorが発生し、diag が作成できません。

Splunk ver.6.3.2 にて、日本語の Window 環境で diag を作成しようとした際に、下記のように、UnicodeDecodeError が発生して diag の作成に失敗します。英語環境では、発生しません。 ...

by Communicator in

How do disk space issues occur in Splunk indexers and what are the options to troubleshoot or prevent this from happening?

I was trying to figure it out how disk space issues occur in the indexers and what are the possible outcomes to get o...

by Explorer in

How to calculate maximum *nix heavy forwarder capacity/thruput based on memory & cores

Fellow Splunkers! I've spent a lot of time on both the answers and splunkbase sites but can't seem to find a simple f...

by Path Finder in

[ Changing the direction of a splunk query]

We ran into a somewhat strange issue recently: We have a complex search that needs to be run in the opposite order...

by Builder in

How to Re-Populate Summary Index?

I have a summary index set up to populate every hour. The forwarder that populated the summary index was down for a f...

by SplunkTrust in

Download link for 6.3.3 Mac universal forwarder is broken, kaput, non functional

Has anyone had any success downloading the 6.3.3 universal forwarder for Mac?

by Engager in

How to configure inputs.conf on a universal forwarder to ignore monitoring and indexing folders that are older than 1 day?

Hi I am monitoring a folder which has high level of nesting and daily, 1000's of folders gets created. The name of...

by Communicator in

Are there best practices when indexing very large log files while they are being rotated?

Are there any best practices or recommendations when dealing with very large log files? I have a 50 GB log file th...

by Path Finder in

Get top 20 countries from Cisco ASA events

Hi, I am searching my Cisco ASA logs to count where an IP originates from by country. It looks like this: ev...

by New Member in

Why is Splunk not automatically recognizing timestamp of my logs correctly and how do I fix this?

Hi, I have a folder with 21 logs, all different types, but with the exact same format. The event types are differe...

by New Member in

How to modify the source field to match normal splunk file location

We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. ...

by Path Finder in

Is there a way to configure Splunk to parse a sourcetype with mixed data types?

All, I have a log file which is largely key value, with some random human readable language tossed in. Recent upg...

by Builder in

How to update a bunch of forwarders that already use non-SSL to use SSL

Hi, I have a bunch (~100) of forwarders that are using Splunk, but my customer has asked me to enable SSL. I know ...

by Champion in

How do I configure props.conf using my sample data for proper line breaking based on time?

Sample log extract below: Splunk reads the log as one event and takes the pricing date: 2/3/2016 as the actual dat...

by New Member in

Shell Script to Check if Multiple Servers are Correctly Forwarding Data

Hi all, I have a list of servers in a text file "servers.txt." I am trying to create a shell script that will s...

by Path Finder in

Where should I run my report that populates a summary index?

Hi all, I've got a simple search and filter that gets piped into the collect command to create a Summary index. I'...

by Path Finder in

Where to re-define a sourcetype when accidentally set wrong in inputs.conf

Hi, I have set a inputs.conf stanza on my indexer that looks like this. [tcp://10.X.X.X:1500] disabled = false...

by Motivator in

How can I get the response time for the Web Service ?

Hello, I want keep a track on the response each of my service takes while in a message flow in IIB. Please tell me...

by New Member in

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

Currently, I have a combined instance where the search head and indexer are sitting on the same box. The documentatio...

by New Member in

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events ful...

by New Member in

How to to troubleshoot why my logs are getting truncated?

Hi, I am facing an issue where logs are getting truncated, even though I have set TRUNCATE and MAX_EVENTS to very ...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to process json array data inside an event

How to troubleshoot the disk space issues on a Splunk indexer?

Why are my headers being indexed from my csv file?

How to configure Splunk to keep _internal data longer than 30 days?

日本語の Windows OS で diagコマンドを実行した際に、UnicodeDecodeErrorが発生し、diag が作成できません。

How do disk space issues occur in Splunk indexers and what are the options to troubleshoot or prevent this from happening?

How to calculate maximum *nix heavy forwarder capacity/thruput based on memory & cores

[ Changing the direction of a splunk query]

How to Re-Populate Summary Index?

Download link for 6.3.3 Mac universal forwarder is broken, kaput, non functional

How to configure inputs.conf on a universal forwarder to ignore monitoring and indexing folders that are older than 1 day?

Are there best practices when indexing very large log files while they are being rotated?

Get top 20 countries from Cisco ASA events

Why is Splunk not automatically recognizing timestamp of my logs correctly and how do I fix this?

How to modify the source field to match normal splunk file location

Is there a way to configure Splunk to parse a sourcetype with mixed data types?

How to update a bunch of forwarders that already use non-SSL to use SSL

How do I configure props.conf using my sample data for proper line breaking based on time?

Shell Script to Check if Multiple Servers are Correctly Forwarding Data

Where should I run my report that populates a summary index?

Where to re-define a sourcetype when accidentally set wrong in inputs.conf

How can I get the response time for the Web Service ?

Are performance improvements by splitting a single Splunk instance into one search head and one indexer on their own servers?

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

How to to troubleshoot why my logs are getting truncated?

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

Why You Should Register for Splunk University at .conf25

Building Splunk proficiency is a marathon, not a sprint

Splunk Observability Cloud/SignalFx - Related Cont...

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

Getting Data In

Are you a member of the Splunk Community?

Discussions