Getting Data In

Thread Info

How to delete existing indexed events?

Hi, I saw multiple junk Windows security events filling up my disk space. I now filtered unnecessary events. How ...

by Explorer in

How do I filter out some Windows events at Search Head/Indexer (RHEL 6 install) Splunk 6.3.1?

New Splunk server, initial tuning period. Working on tuning and filtering. Server shows two event types as most frequ...

by New Member in

Can we have the same source forwarding data to two different Splunk infrastructures?

As part of the upgrade we are planning to deploy Splunk 6.3 on a new set of physical servers. We have around 217 forw...

by Communicator in

"Only the first 10000 of 11409 results are included in the attached CSV" Are results truncated after the report is complete?

We received the message "Only the first 10000 of 11409 results are included in the attached csv". Does the applicatio...

by Path Finder in

Change the INDEX for the data received from Splunk Forwarder

I have Splunk (4.1.2) with Search / Indexer running on Redhat Linux. And I installed Splunk (4.1.2) as forwarder on a...

by Explorer in

How to allow special characters in the header for uploaded CSV data?

I uploaded CSV data which contains some special characters in headers and values, but after parsing, all special char...

by Engager in

Moving a search head pooling Windows environment to a Linux environment, where are my props.conf applied on these servers?

Trying to get a Windows environment moved into a Linux environment, and having problems finding where props.conf is a...

by Communicator in

deleteコマンドの実行に時間がかかっている

can_deleteロールが付与されたadminユーザでsplunkにアクセスし、search appで以前イベントの削除に成功したdeleteコマンドを実行したところ、1時間経っても、サーチの実行が終わらず、キャンセルされました。 ...

by Contributor in

Is it possible to parse an extracted field as json if the whole log line isn't json?

If I have a line of my logs that look something like [2013-10-18 23:36:50.785476] {"message":"some message", "head...

by Explorer in

How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

I am using a Splunk forwarder with a main Splunk server. The forwarder is listening on udp port 1514. And is sending ...

by Explorer in

I have installed the splunk.license file but splunk is still not indexing any event?

I have exceeded splunk license limit too many times but now i have the splunk.license file and it's already installed...

by Path Finder in

Is it possible to use inputlookup inside mvfind?

I have a multivalue field which I am trying to search for a list which is coming from an inputlookup (in lieu of hard...

by Builder in

UF not sending any data - The pipeline indexerPipe threw an exception during initialize

Hi, I have configured a Universal Forwarder with inputs, outputs, I can see in Debug all the monitored files are d...

by Splunk Employee in

Do I need to set up my search head or one of my indexers as my deployment server to deploy and manage universal forwarder configurations?

I just set up 2 indexers and 1 search head. I need to use a deployment server to manage and deploy configurations acr...

by Explorer in

How to configure Splunk to store indexed data into HDFS?

HI, I am writing a Java program to index the data into a Splunk index. How do I configure the index to store the ...

by New Member in

Why is Hunk not picking up the iis sourcetype I configured in props.conf?

I created a new virtual index to search against IIS logs (I have an HDFS directory that holds 11 individual logs all ...

by Influencer in

How to prevent DoS attack on forwarder's tcp input? (error message: too many open files)

Hello guys, I wonder if there is any solution to prevent a simple DoS on a tcp input? We have a couple of TCP i...

by Path Finder in

Is there a way to see the source file in Splunk for data indexed from HDFS using a virtual index?

Hi, As part of our work, we need to index configuration files and prepare reports on them for our client. We need...

by Explorer in

Why is our Windows universal forwarder forwarding perfmon data to main, not the perfmon index?

Hi, I was checking a fresh Universal Forwarder installation I did on a Windows VM and found the following at input...

by Splunk Employee in

Can I set earliest/latest times in the JobArgs using %m/%d/%Y:%H:%M:%S format?

If i give an absolute time as documented in this documentation (http://docs.splunk.com/Documentation/Splunk/6.2.3/Sea...

by Explorer in

Splunk not collecting logs after hostname rename on configuration file

Hi: I had to rename a hostname on splunk client configuration on inputs.conf and server.conf and removed the guid ...

by Path Finder in

Is it possible to use a part of the source name as _time during CSV import?

Hi, I'm uploading multiple CSV files. Unfortunately, they don't have a usable field for the timestamp. Is it possi...

by Motivator in

Where do INDEXED_EXTRACTIONS happen?

I have a Universal Forwarder reading data in a Tab Separated format. I want to apply the INDEXED_EXTRACTIONS = TSV to...

by Path Finder in

Why are my props and transforms.conf not filtering data on the heavy forwarder?

I have a Heavy Forwarder installed which sends the logs to Splunk Cloud. Here's the workflow, please shed some light ...

by Builder in

Why does "add monitor" via CLI not create new sourcetype in Splunk Light?

I have this file in location: /Users/myuser/path/firewall3.log Thu Mar 6 11:33:49 EST 2014 src_ip=1.1.1.1 Thu Mar...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to delete existing indexed events?

How do I filter out some Windows events at Search Head/Indexer (RHEL 6 install) Splunk 6.3.1?

Can we have the same source forwarding data to two different Splunk infrastructures?

"Only the first 10000 of 11409 results are included in the attached CSV" Are results truncated after the report is complete?

Change the INDEX for the data received from Splunk Forwarder

How to allow special characters in the header for uploaded CSV data?

Moving a search head pooling Windows environment to a Linux environment, where are my props.conf applied on these servers?

deleteコマンドの実行に時間がかかっている

Is it possible to parse an extracted field as json if the whole log line isn't json?

How do I change the sourcetype on my Splunk forwarder from "syslog" to "json_no_timestamp"?

I have installed the splunk.license file but splunk is still not indexing any event?

Is it possible to use inputlookup inside mvfind?

UF not sending any data - The pipeline indexerPipe threw an exception during initialize

Do I need to set up my search head or one of my indexers as my deployment server to deploy and manage universal forwarder configurations?

How to configure Splunk to store indexed data into HDFS?

Why is Hunk not picking up the iis sourcetype I configured in props.conf?

How to prevent DoS attack on forwarder's tcp input? (error message: too many open files)

Is there a way to see the source file in Splunk for data indexed from HDFS using a virtual index?

Why is our Windows universal forwarder forwarding perfmon data to main, not the perfmon index?

Can I set earliest/latest times in the JobArgs using %m/%d/%Y:%H:%M:%S format?

Splunk not collecting logs after hostname rename on configuration file

Is it possible to use a part of the source name as _time during CSV import?

Where do INDEXED_EXTRACTIONS happen?

Why are my props and transforms.conf not filtering data on the heavy forwarder?

Why does "add monitor" via CLI not create new sourcetype in Splunk Light?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions