Getting Data In

Discussions

Thread Info

How can I get date from filename and time from inside logs.

Hi Splunkers, How can I get date from filename and time from inside the logs. For example: I have a file name...

by Communicator in

How to send events to the nullQueue on indexer?

The strange thing is that I can send events to the nullQueue on my Local installation of Enterprise Splunk (6.2.2.5)....

by Explorer in

Blacklisting Account_Name=ftpadmin ??

I am trying to blacklist Windows service account named, ftpadmin from all servers. I tried: [WinEventLog://Securit...

by Explorer in

How to execute an external Python script to add fields to events for every event ingested by Splunk?

I have a Python script that queries an external system for reputation data based on a hash. What I would like to do i...

by Communicator in

How can I search total time indexing for source="xxx.log" and bandwidth speed of data transfer between site.

Hi everyone, Now I'm working splunk site to site. I have splunk indexer at HQ and splunk forwarder at branch. I...

by Explorer in

how to avoid searching with source file name

Hi Experts, I need your help in the following scenario 1.I have 200 routers configured to feed splunk daily for...

by Path Finder in

indexed data is being rolled off, deleted. Not sure why, what config am I missing 6.2?

t_activity 500,000 N/A 149,887 581,087,973 Mar 31, 2015 2:57:59 PM Apr 21, 2015 11:50:35 AM I have others that hav...

by Engager in

How to push a script out to remote forwarders?

hello everyone, I saw multiple post regarding this but couldn't really understand the architect behind. We have...

by Explorer in

How do I get useful information\reports from Splunk about Windows desktops and servers?

Hi Everyone, How can I get useful information and\or reports from Splunk? I'm new to Splunk and we have a complia...

by Explorer in

Attempting to run Splunk, why am I getting "Problem parsing indexes.conf: Cannot create index 3rdIndex: path of homePath must be absolute"?

[volume:primary] path = opt/splunk/splunk_data maxVolumeDataSizeMB = 2000000 [3rdIndex] homePath = volume:primary/...

by Explorer in

Why is my Splunk 6.2.5 Heavy Forwarder not filtering out events as expected?

My Heavy Forwarder forwards data to the indexer fine, however, I wanted to filter out some events before being forwar...

by Path Finder in

How can I design my search head and indexer clustering architecture?

Hi to everyone I have a design, with four Splunk instances (two search head, and two indexers). I want an "indexer...

by Communicator in

Why is my index not being populated with my current configuration?

We've been chugging along fine with our 4 unreplicated indexers. I'd like to add a new index now, but have gotten stu...

by Path Finder in

What does sendCookedData actually do on a heavy forwarder (i.e. what does 'cooked' mean at a technical level)?

What transformations / processing happens when data is cooked on a heavy forwarder? Is it the same as the data being ...

by Explorer in

is there a limit on the number of files splunk can monitor?

is there a limit on the number of files splunk can monitor? Say for example if i have a directory with 100k+ files. I...

by Builder in

How do I split out a result So that I have a count of True and False

here is what I am trying to do I have a bunch of IP address's Source Count 10.150.1.181 19984 10.150.2.108 18314 10....

by New Member in

Deploying blacklist configuration in inputs.conf to universal forwarder

I am having problems blacklisting a sourcefile from being indexed. We currently run version 4.3 and deploy configu...

by Path Finder in

Why is log data still present in an Index well after the frozenTimePeriodInSecs retention period?

I have an index for which "frozenTimePeriodInSecs = 7776000" (90 days) is set. Usually Indexes do not have data beyon...

by Communicator in

Cisco ASA logging format change

It looks like with 8.3 of Cisco ASA software the logging format has changed some. Old Version: Mar 15 13:39:13 192.16...

by Explorer in

When filtering Windows event logs, can you filter on fields other than EventCode, such as Account_Name?

Taken from inputs.conf on the deployment server: blacklist1 = EventCode="4662" blacklist2 = EventCode="566" black...

by Observer in

Can I build an indexer cluster with a single indexer and migrate the second indexer in later?

I currently have a single Splunk server doing everything. I would like to move to a clustered environment. I have a s...

by Path Finder in

Can someone help me to install and configure a universal forwarder on a Windows 7 machine to forward data to Splunk Cloud?

I need to collect the security logs from the Windows 7 machine and add the data to Splunk Cloud. I am new to Splunk a...

by New Member in

How do I list all sourcetypes for each host per index, provided one sourcetype=apache?

I am trying to set up a stats output so that for each index, it lists all hosts, and for each of those hosts, it list...

by Path Finder in

Forwarder not recursively indexing in 6.3. Works in 6.2.5. A bug?

I have multiple servers running a Splunk 6.2.5 universal forwarder and it is indexing recursively just fine from /var...

by Contributor in

Why are my props.conf and transforms.conf configurations to set host values based on event data being ignored?

In the Getting Data In documentation, it says I should be able to set host based on event data using props.conf and t...

by Splunk Employee in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How can I get date from filename and time from inside logs.

How to send events to the nullQueue on indexer?

Blacklisting Account_Name=ftpadmin ??

How to execute an external Python script to add fields to events for every event ingested by Splunk?

How can I search total time indexing for source="xxx.log" and bandwidth speed of data transfer between site.

how to avoid searching with source file name

indexed data is being rolled off, deleted. Not sure why, what config am I missing 6.2?

How to push a script out to remote forwarders?

How do I get useful information\reports from Splunk about Windows desktops and servers?

Attempting to run Splunk, why am I getting "Problem parsing indexes.conf: Cannot create index 3rdIndex: path of homePath must be absolute"?

Why is my Splunk 6.2.5 Heavy Forwarder not filtering out events as expected?

How can I design my search head and indexer clustering architecture?

Why is my index not being populated with my current configuration?

What does sendCookedData actually do on a heavy forwarder (i.e. what does 'cooked' mean at a technical level)?

is there a limit on the number of files splunk can monitor?

How do I split out a result So that I have a count of True and False

Deploying blacklist configuration in inputs.conf to universal forwarder

Why is log data still present in an Index well after the frozenTimePeriodInSecs retention period?

Cisco ASA logging format change

When filtering Windows event logs, can you filter on fields other than EventCode, such as Account_Name?

Can I build an indexer cluster with a single indexer and migrate the second indexer in later?

Can someone help me to install and configure a universal forwarder on a Windows 7 machine to forward data to Splunk Cloud?

How do I list all sourcetypes for each host per index, provided one sourcetype=apache?

Forwarder not recursively indexing in 6.3. Works in 6.2.5. A bug?

Why are my props.conf and transforms.conf configurations to set host values based on event data being ignored?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Syslog SSL - FortiWeb Cloud to Splunk Enterprise

UF

No such file or directory: 'java' adding JMX acco...

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

Configuring Splunk OTel Collector for Linux/Window...