Getting Data In

Thread Info

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

HI, I have a few large directories that take a long time for Splunk to start indexing after a restart. Is there a...

by Contributor in

How to strip the FQDN from an inputs.conf monitor path using host_segment?

I have files on multiple servers that I need to log that are housed in a directory where the path includes the system...

by Explorer in

How to exclude one or more cluster peers from the index replication target list?

As the Cluster Deployments are reaching maturity, we are planning to add a new Cluster Peer/Indexer to the existing C...

by Splunk Employee in

Is it possible for the cluster master to have a different OS than the indexer cluster peers? What are the potential drawbacks?

My Splunk environment has two indexers running on VMs with Linux OS, and I want to create an indexer cluster. My thir...

by Explorer in

What decides the order of the fields output in CSV files from Splunk, and is there a way to control the order?

We output .csv file from splunk. When we test on a test machine, the order of CSV file fields is "Action", "Return...

by Path Finder in

How to configure Splunk for input active files?

Hi, I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Her...

by Builder in

How do I edit my props.conf and transforms.conf to filter select events from one source file from getting indexed?

We have a vanilla install, just one stand alone Splunk Server. I am wanting to filter select events from one source f...

by New Member in

Input files have changed format, so how do I edit my configurations to keep the old data and handle the new data?

Hi, Here is my situation (and I know it isn't ideal, but I have to work with it for now) I have scripts that pr...

by Path Finder in

Is it possible to filter all values in certain fields from our access logs to nullQueue?

Hey, We have a regular access log file with fields named UserAgent and Method. Is it possible to send all data in...

by Path Finder in

What is the proper indexes.conf syntax for moving colddb to another volume?

I would just like to confirm my syntax... I've read a bunch of postings, I've RTFM, but none have an actual sample or...

by Contributor in

Help save fschange! Still seeing great value in keeping fschange (deprecated since 5.x)

When my company first purchased Splunk 4.x fschange was not deprecated and was one of the reasons that we have Splunk...

by Path Finder in

After creating a new sourcetype, where do I find the props.conf for it?

Hello, I created a new sourcetype and there is no props.conf in splunk/etc/system/local.. Where is it stored? o...

by Influencer in

Why am I seeing "Authentication failed" in the Distributed Management Console for search peers added using CLI commands in a script?

Hi all, I add the search peers by using the CLI commands in a script. When I check the Distributed Management Cons...

by Path Finder in

Our ISP sends us Exchange log files every hour. What is the best solution to analyze this?

Every hour our ISP send to us the Exchange logs file. What is the best solution to analyze this?

by Path Finder in

Data Retention - can we copy frozendb to tape?

Is it possible to archive frozendbs to tape and pull that data back for splunk to read at a later date? For exampl...

by Explorer in

TCP Input Ignores Custom Timestamp in JSON

Hello, I have user event logs that I'm trying to ingest over TCP. Every event is a JSON like this: {key1:v1,......

by Engager in

Why does excludeFromUpdate not work in serverclass.conf?

Hi all, I'm managing my apps deployed through forwarder management using git. When running a scheduled "git pull" ...

by Builder in

Discarding events using TRANSFORMS-null

I'm trying to bring in Cisco CDR files for some very basic splunk searches. The standard CDR format has a header row,...

by Path Finder in

Is there a best practice for maintaining replication for a specific index between two independent Splunk installations?

Hi, Is there a best practice way of keeping a set of indexes replicated between two independent Splunk installatio...

by Explorer in

How to manually Index Data in Splunk 6.2.5?

Our production environment just upgraded to 6.2.5 from 6.0.3. The new data inputs seem to be pretty straight forward,...

by Builder in

Why am I getting "Received event for unconfigured/disabled/deleted index='wineventlog'" after installing a Universal forwarder on a Windows Domain Controller?

I've installed a universal forwarder on a Windows Domain Controller and configured on the Splunk server end I enabled...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

How to strip the FQDN from an inputs.conf monitor path using host_segment?

How to exclude one or more cluster peers from the index replication target list?

Is it possible for the cluster master to have a different OS than the indexer cluster peers? What are the potential drawbacks?

What decides the order of the fields output in CSV files from Splunk, and is there a way to control the order?

How to configure Splunk for input active files?

How do I edit my props.conf and transforms.conf to filter select events from one source file from getting indexed?

Input files have changed format, so how do I edit my configurations to keep the old data and handle the new data?

Is it possible to filter all values in certain fields from our access logs to nullQueue?

What is the proper indexes.conf syntax for moving colddb to another volume?

Help save fschange! Still seeing great value in keeping fschange (deprecated since 5.x)

After creating a new sourcetype, where do I find the props.conf for it?

Why am I seeing "Authentication failed" in the Distributed Management Console for search peers added using CLI commands in a script?

Our ISP sends us Exchange log files every hour. What is the best solution to analyze this?

Data Retention - can we copy frozendb to tape?

TCP Input Ignores Custom Timestamp in JSON

Why does excludeFromUpdate not work in serverclass.conf?

Discarding events using TRANSFORMS-null

Is there a best practice for maintaining replication for a specific index between two independent Splunk installations?

How to manually Index Data in Splunk 6.2.5?

Why am I getting "Received event for unconfigured/disabled/deleted index='wineventlog'" after installing a Universal forwarder on a Windows Domain Controller?

how to differentiate b/w the source types and integrate them as one.

Inputs.conf not working for Splunk 6.3.0

How to configure fschange Windows file monitoring, but exclude a sub-folder using blacklist?

Splunk 6.3 Extract Fields Props.conf & transforms.conf not working

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?

CSAM Reports - 500 ERROR

JSON Data extraction issues with Comma