Getting Data In

Discussions

Thread Info

How to configure directory and file monitoring on a universal forwarder?

Hi, I've got a universal forwarder and I'm trying to monitor C:\Windows\System32\winevt\Logs. I've tried 2 solutio...

by Explorer in

Importing 'old' data set results in incorrect date extraction after 2010

Hello, Trying to import a CSV with dates going back 50+ years (https://www.quandl.com/api/v3/datasets/BCB/UDJIAD1.csv...

by Path Finder in

Why is time_before_close attribute causing a delay in indexing ?

I had set the value of time_before_close attribute to 300 (5 mins) in one of my monitor stanzas. What I observed is t...

by Communicator in

How to troubleshoot why props.conf settings did not take effect and an index was not automatically created?

Hi Experts, I dont want to wake up any zombies, hence I create new thread here. I have props.conf file works on...

by Communicator in

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

My 6.3.1 inputs.conf is: [monitor://E:\Tomcat-instance1\logs] index=instance1_appl sourcetype=tomcat-appl ignoreol...

by Motivator in

Why am I unable to run a fresh Install of Splunk 6.3 on a VM running Windows Server 2012

Hi. I just installed Splunk Enterprise 6.3 on a VM running Windows Server 2012. The install went fine, but when I...

by Communicator in

How to change ldapsearch that is returning whenCreated attribute in an awkward timestamp format?

I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfo...

by SplunkTrust in

How to troubleshoot why my Windows universal forwarders are not recognizing the correct timestamp for my data?

Hi, I have complex events in files forwarded from Windows hosts with Universal Forwarders. These files are zip-com...

by Communicator in

How to install the decompressed .gz file on AIX for a Splunk universal forwarder?

Well, this is technically a Unix question but still asked it here since it involves with Splunk. I already install...

by Builder in

How to troubleshoot why our forwarder is not sending particular log files?

I have a particular log file that for some reason, the forwarder will not read and send the data to the indexer. I se...

by Contributor in

how to line break snmp data

Dears, i have configured scripted input that poll snmp of network devices using snmpwalk command but problem that ...

by Explorer in

Is there a CLI option in Splunk 6.1.4 to disable / enable REST data input?

We are running SPLUNK 6.1.4. We have a server with a REST API feed which every so often stops processing. To start it...

by New Member in

Why do blacklisted logs index to main?

I have a group of hosts that use the blacklist function in a monitor stanza in inputs.conf. Here is the referenced st...

by Engager in

Add line breaks to events using transforms.conf

I need to add an additional line break to events at the heavy forwarder. I'm trying to use transforms.conf: [add_l...

by Explorer in

How to remove data from an index when the file read is renamed?

Hi, I would like to remove data from an index when the file read is renamed. I have a file (prog.log.run) which...

by Communicator in

WARN TcpOutputFd - Connect to host:port failed. Connection refused

I am forwarding data from heavy-forwarder (HF-1) to heavy-forwarder(HF-2) which are in different network IP range. ...

by Motivator in

timestamp=none

I acquired some logs from a scrip (close to ps.sh) with a timestamp correctly recognized at index time. The problem i...

by SplunkTrust in

How to consolidate two sourcetypes for one index to one sourcetype?

I configured the following: 1) Malwarebytes syslog configured to send syslog to Splunk server 2) Configured rsyslo...

by Influencer in

Can I change the IP address of a single node splunk deployment?

Will it break anything? Will it violate any certificates? I guess index=_internal will probably show a new machine fo...

by Contributor in

If we clone a Windows server with a Splunk forwarder installed, how do we configure the the cloned server to send data to Splunk?

HI, I think this is a rather silly question, but I haven't been working with Splunk for too long and just can't fi...

by Communicator in

Why are lines in a gzip'ed CSV showing up twice in searches?

Hi. Just installed Splunk for the first time today. As a tes,t I took a CSV file and indexed it, and it worked fi...

by New Member in

Why does our License Report show an increase for a "default" index after upgrade to Splunk 6.3? How do we investigate?

I recently upgraded Splunk to 6.3. Our environment has 1 search head, 2 indexers and 1 deployment/licensing server al...

by Path Finder in

Show all lines for Windows event-log events

For Windows event-log events, Splunk displays the first 5 lines followed by "Show all [n] lines". Most of the time, t...

by New Member in

Splunk Cloud Trial: Why am I getting "ERROR TcpOutputFd - Connection to host=(splunk-cloud-ip):9997 failed" after setting up a universal forwarder on our EC2 instance?

I signed up for a Splunk Cloud trial, and set up a universal forwarder on one of our EC2 instances. However, I keep g...

by Explorer in

How to configure Hunk vix time format (vix.input.1.et.format) to handle both day and month containing leading zeros and non-leading zeros?

So I am trying to configure Hunk 6.3.1 to search my avro files in Hadoop. Here is an example of these .avro files in ...

by Splunk Employee in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to configure directory and file monitoring on a universal forwarder?

Importing 'old' data set results in incorrect date extraction after 2010

Why is time_before_close attribute causing a delay in indexing ?

How to troubleshoot why props.conf settings did not take effect and an index was not automatically created?

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

Why am I unable to run a fresh Install of Splunk 6.3 on a VM running Windows Server 2012

How to change ldapsearch that is returning whenCreated attribute in an awkward timestamp format?

How to troubleshoot why my Windows universal forwarders are not recognizing the correct timestamp for my data?

How to install the decompressed .gz file on AIX for a Splunk universal forwarder?

How to troubleshoot why our forwarder is not sending particular log files?

how to line break snmp data

Is there a CLI option in Splunk 6.1.4 to disable / enable REST data input?

Why do blacklisted logs index to main?

Add line breaks to events using transforms.conf

How to remove data from an index when the file read is renamed?

WARN TcpOutputFd - Connect to host:port failed. Connection refused

timestamp=none

How to consolidate two sourcetypes for one index to one sourcetype?

Can I change the IP address of a single node splunk deployment?

If we clone a Windows server with a Splunk forwarder installed, how do we configure the the cloned server to send data to Splunk?

Why are lines in a gzip'ed CSV showing up twice in searches?

Why does our License Report show an increase for a "default" index after upgrade to Splunk 6.3? How do we investigate?

Show all lines for Windows event-log events

Splunk Cloud Trial: Why am I getting "ERROR TcpOutputFd - Connection to host=(splunk-cloud-ip):9997 failed" after setting up a universal forwarder on our EC2 instance?

How to configure Hunk vix time format (vix.input.1.et.format) to handle both day and month containing leading zeros and non-leading zeros?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Mimecast App to get Archive logs

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

What is the correct format for including the API k...

Configuring Splunk OTel Collector for Linux/Window...

Upload failed with ERROR: Read Timeout