Getting Data In

Thread Info

How to correct timestamp recognition that is currently skewed due to result of class "java.util.logging.Logger" output

Hello Splunkers, We have an event coming in from our logs below with this stamp right at the beginning of our logs...

by Communicator in

How do I specify which sources should be indexed from data inputs and not the entire directory?

Hello, Please bear with me because I'm new to Splunk and I've only just started using it today. Also note that I a...

by Explorer in

bucketmover permission denied archiving

Any thoughts on why I would be getting the following error: 12-17-2014 14:34:28.167 -0700 ERROR BucketMover - abor...

by Explorer in

Why is my deployment server downloading so much after upgrading from Splunk 6.1.1 to 6.1.9??

Hi, I upgraded my deployment server from 6.1.1 to 6.1.9, and it seems now that all of my forwarders are downloadin...

by Champion in

How do I correct my forwarder blacklist configuration for FTP-Logs?

Dear Community, In our Webserver we have the following Logs: F:\IIS-Log Sometimes we have F:\IIS-LOG\FTP and F:\II...

by New Member in

Can I define the sourcetype in the log itself?

I happen to have some control over our java logs. Rather than use transforms.conf/props.conf to create various source...

by Builder in

Why is my props.conf and transforms.conf configuration not filtering out IIS logs as expected?

Hi, I have the following IIS log: 2015-11-26 11:19:37 10.10.90.36 GET /webpl3/Handlers/ClientState/ClientState....

by Path Finder in

On data ingest, does Splunk recognize maps?

I'm using Splunk to store data tuples that contain maps. For example, such a map is: {"likes": ["strawberry", "va...

by Engager in

CIDR search on host field

Hello Everyone, I'm facing a strange behavior here : searching host=10.1.2.* returns 511,000+ resultssearching ...

by Explorer in

Time Stamp - Log Delay

Hi Splunk users, I have a problem regarding Splunk showing incorrect timestamps: Splunk pretty much shows me ti...

by Communicator in

How to remove the currency symbol etc. from a field before indexing?

This is what the data looks like in the source file (.csv). Notice the $156.03 09/26/13, 2013 , 09-Sep , Week-39 ,...

by Legend in

Is there a way to get Splunk DB Connect 1 to parse a binary column into Splunk-friendly ASCII?

I have a DB Connect query for which the results in one column read as ***** BINARY ***** Is there a way to get DBConn...

by Path Finder in

Is multitiered load balancing supported in Splunk 6.3.1? (Universal Forwarders > Heavy Forwarders > Clustered Indexers)

Hi, After going through the 6.3.1 documentation, it is still not clear to me whether multitiered load balancing is...

by Super Champion in

What's the earliest date I can have in Splunk?

The largest setting I can make for MAX_DAYS_AGO according to the props.conf.spec is 10951 days. Is there anything ...

by Splunk Employee in

Bulk rename fields created by spath in json search results

I am working with a bunch of different logs that contain json, sometimes for events that differ. I have the props set...

by Builder in

how to change the upload time stamp?

Hi , Actually I am having splunk index servers in Eastern Time Zone (UTC-5:00) but some of my application servers ...

by Path Finder in

After editing Indexes.conf: Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured

I was receiving the following messages on my search head, coming from one of my search peers: Search peer has the ...

by Path Finder in

dbconnect ms sql timestamp error

Hello, Question + answers here : We were using dbconnect 2 for a MS sql query. the column used for the timestamp was ...

by Splunk Employee in

Does anyone know how to change data compression settings in Splunk?

I can search for compression settings information all day long and currently we only compress at 34% overall (Firebri...

by Communicator in

How to configure directory and file monitoring on a universal forwarder?

Hi, I've got a universal forwarder and I'm trying to monitor C:\Windows\System32\winevt\Logs. I've tried 2 solutio...

by Explorer in

Importing 'old' data set results in incorrect date extraction after 2010

Hello, Trying to import a CSV with dates going back 50+ years (https://www.quandl.com/api/v3/datasets/BCB/UDJIAD1.csv...

by Path Finder in

Why is time_before_close attribute causing a delay in indexing ?

I had set the value of time_before_close attribute to 300 (5 mins) in one of my monitor stanzas. What I observed is t...

by Communicator in

How to troubleshoot why props.conf settings did not take effect and an index was not automatically created?

Hi Experts, I dont want to wake up any zombies, hence I create new thread here. I have props.conf file works on...

by Communicator in

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

My 6.3.1 inputs.conf is: [monitor://E:\Tomcat-instance1\logs] index=instance1_appl sourcetype=tomcat-appl ignoreol...

by Motivator in

Why am I unable to run a fresh Install of Splunk 6.3 on a VM running Windows Server 2012

Hi. I just installed Splunk Enterprise 6.3 on a VM running Windows Server 2012. The install went fine, but when I...

by Communicator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to correct timestamp recognition that is currently skewed due to result of class "java.util.logging.Logger" output

How do I specify which sources should be indexed from data inputs and not the entire directory?

bucketmover permission denied archiving

Why is my deployment server downloading so much after upgrading from Splunk 6.1.1 to 6.1.9??

How do I correct my forwarder blacklist configuration for FTP-Logs?

Can I define the sourcetype in the log itself?

Why is my props.conf and transforms.conf configuration not filtering out IIS logs as expected?

On data ingest, does Splunk recognize maps?

CIDR search on host field

Time Stamp - Log Delay

How to remove the currency symbol etc. from a field before indexing?

Is there a way to get Splunk DB Connect 1 to parse a binary column into Splunk-friendly ASCII?

Is multitiered load balancing supported in Splunk 6.3.1? (Universal Forwarders > Heavy Forwarders > Clustered Indexers)

What's the earliest date I can have in Splunk?

Bulk rename fields created by spath in json search results

how to change the upload time stamp?

After editing Indexes.conf: Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured

dbconnect ms sql timestamp error

Does anyone know how to change data compression settings in Splunk?

How to configure directory and file monitoring on a universal forwarder?

Importing 'old' data set results in incorrect date extraction after 2010

Why is time_before_close attribute causing a delay in indexing ?

How to troubleshoot why props.conf settings did not take effect and an index was not automatically created?

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

Why am I unable to run a fresh Install of Splunk 6.3 on a VM running Windows Server 2012

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Power Platform audit logs

Regex works but transforms.conf extracts only part...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

Getting Data In

Are you a member of the Splunk Community?

Discussions