Getting Data In

Community Activity

How do I route events into different indexes based on event type? I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ... by nawneel Communicator in Getting Data In 02-03-2016 1 3	1	3
Why is a deleted sourcetype still getting indexed? I have removed a sourcetype from my inputs.conf [monitor:///data01/.../current/logs/*.log] disabled = 0 sourcetype =... by proylea Contributor in Getting Data In 02-03-2016 0 4	0	4
If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp? My log file looks like below. I need Splunk to ID the time_of_stop time -- instead of the the time included with the... by jpelletier_splu Splunk Employee in Getting Data In 02-03-2016 0 3	0	3
CSV File Issues Hello, I am having issues with csv files imported from an S3 bucket. The files get imported and indexed fine however ... by cesardavila New Member in Getting Data In 02-03-2016 0 3	0	3
After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer? Recently, I noticed that the disk on one of my Indexers was nearly full. Currently, all event data is going into the... by vanderaj1 Path Finder in Getting Data In 02-03-2016 1 11	1	11
Why am I unable to index a file if the size is too small? Is there a minimum file size setting? Hi Friends, I am facing an issue where SPLUNK does not index a file if the size is too low. The file sits in a UNC l... by gauravmishra15 Path Finder in Getting Data In 02-03-2016 1 1	1	1
How do I configure custom sourcetypes on Universal Forwarders and Indexers? I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates ... by rob_lamb Explorer in Getting Data In 02-03-2016 0 2	0	2
How does the number of forwarder connections to an indexer impact search and indexing performance? I want to know how does the number of connections to an indexer impact the search and indexing performance (e.g.: how... by pramit46 Contributor in Getting Data In 02-03-2016 0 1	0	1
Is there going to be an app to pull data from Microsoft's recently released Office 365 Management Activity API? Microsoft recently released their Management Activity API. It’s supposed to be similar to the Box API where you can r... by klemaned Explorer in Getting Data In 02-03-2016 0 2	0	2
I want to create a sourcetype in the sourcetype manager, but why does it say "sourcetype already exists"? I want to create the sourcetype AAA, that is not listed on the sourcetype manager. But when I go to settings > sourc... by mataharry Communicator in Getting Data In 02-02-2016 1 1	1	1
How to troubleshoot why some monitored files in Windows directories not getting indexed? Hi, I have a number of directories with files that have numerous files that need to be monitored. Splunk is not pic... by a212830 Champion in Getting Data In 02-02-2016 0 1	0	1
Best practices when migrating a Windows search head to new physical hardware in an indexer clustering environment? I suppose this is a multi-question post. We have a clustered environment and are replacing the hardware our search h... by hagjos43 Contributor in Getting Data In 02-02-2016 0 2	0	2
How do I configure Splunk to break events properly based on my sample data? I have the below sample data and I want to break the events at the request message qualifier field Request Message Q... by vrmandadi Builder in Getting Data In 02-02-2016 0 6	0	6
Is it best practice to use a Deployment Server to deploy configurations to non-clustered search peers (indexers)? Dear All, I have a Search Head and Two non-clustered indexers (search peers) and I am architecting the system to inc... by BlueSocket Contributor in Getting Data In 02-02-2016 0 3	0	3
How can I download or print the Install Guide for the Box App for Splunk? I don't see a way to download or print the guide. There is no print button. Can't print from the browser either. Ther... by AllanMarcus Explorer in Getting Data In 02-02-2016 0 2	0	2
After updating our universal forwarders from Splunk 6.1.2 to 6.2.8, why is the Account_Name field not populated for Windows Security logs? After updating our universal forwarders from 6.1.2 to 6.2.8 Windows Security logs are coming in without the Account_N... by saulverde Path Finder in Getting Data In 02-02-2016 0 2	0	2
How do I extract event timestamp from json log file at index time? I'm trying to extract timestamps for log events that I am forwarding to Splunk as json log files, and instead of gett... by aenache Engager in Getting Data In 02-02-2016 0 2	0	2
Is it possible to run an inputlookup command to a kvstore/CSV that has permissions only for that app? Is it possible to run an inputlookup command to a kvstore that has permissions only for that app, outside that same a... by joao_amorim Communicator in Getting Data In 02-02-2016 0 2	0	2
Can someone explain splunk overview for data forwarding and parsing? Hello Experts, I am new to splunk and learning it. http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Rout... by chaseto Explorer in Getting Data In 02-01-2016 0 5	0	5
xpath is returning the duplicate values. How do I limit the output to single values? Hi All, Because of existing logs type, XPATH is returning a same value thrice. Is there any way to limit the number... by rishiaggarwal Explorer in Getting Data In 02-01-2016 0 2	0	2
How to configure a universal forwarder on Windows to send data to another Windows system? I already installed the universal forwarder on a Windows system. What I would like to do is get the data into another... by rakeshh123 Path Finder in Getting Data In 02-01-2016 0 2	0	2
How to configure a Splunk universal forwarder and receiver on Windows? Can you please help me in detail with configuring the Splunk universal forwarder and receiver on Windows? I would lik... by Umesh_Vedicsoft Path Finder in Getting Data In 02-01-2016 1 1	1	1
Why are we seeing duplicate headers? (host and timestamp) Splunk adds one header, then one more when forwarding to external logger. SPLUNK entry Jan 29 14:09:01 host.localdo... by jppham New Member in Getting Data In 02-01-2016 0 3	0	3
How to deploy a Splunk Universal Forwarder through GPO and MST setup? I have been trying to push the Splunk Universal Forwarder out to my client systems via GPO. I would like, however, t... by sardinha1 Engager in Getting Data In 02-01-2016 1 2	1	2
how many clients can one deployment server manage? Is there a practical or physical limit to how many clients a single Splunk Deployment Server can handle / manage? by maverick Splunk Employee in Getting Data In 02-01-2016 1 3	1	3

Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl. To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...

Getting Data In

How do I route events into different indexes based on event type?

Why is a deleted sourcetype still getting indexed?

If I have two time fields in an event, how do I configure Splunk to use the 2nd one as the timestamp?

CSV File Issues

After changing data retention from 2 years to 1 year, why did this not free up disk space on my indexer?

Why am I unable to index a file if the size is too small? Is there a minimum file size setting?

How do I configure custom sourcetypes on Universal Forwarders and Indexers?

How does the number of forwarder connections to an indexer impact search and indexing performance?

Is there going to be an app to pull data from Microsoft's recently released Office 365 Management Activity API?

I want to create a sourcetype in the sourcetype manager, but why does it say "sourcetype already exists"?

How to troubleshoot why some monitored files in Windows directories not getting indexed?

Best practices when migrating a Windows search head to new physical hardware in an indexer clustering environment?

How do I configure Splunk to break events properly based on my sample data?

Is it best practice to use a Deployment Server to deploy configurations to non-clustered search peers (indexers)?

How can I download or print the Install Guide for the Box App for Splunk?

After updating our universal forwarders from Splunk 6.1.2 to 6.2.8, why is the Account_Name field not populated for Windows Security logs?

How do I extract event timestamp from json log file at index time?

Is it possible to run an inputlookup command to a kvstore/CSV that has permissions only for that app?

Can someone explain splunk overview for data forwarding and parsing?

xpath is returning the duplicate values. How do I limit the output to single values?

How to configure a universal forwarder on Windows to send data to another Windows system?

How to configure a Splunk universal forwarder and receiver on Windows?

Why are we seeing duplicate headers? (host and timestamp)

How to deploy a Splunk Universal Forwarder through GPO and MST setup?

how many clients can one deployment server manage?

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Dashboard

How to use Lambda to push logs to Splunk Cloud

Clarity on metrics license usage and how the data ...

ServiceNow Technical Add-on for CMDB Pull

Bangalore Splunk Usergroup meeting(Dec 2025)

Getting Data In

Join the Conversation