Getting Data In

Discussions

Thread Info

What is the endpoint to access splunk-launch.conf via REST API?

I am trying to access splunk-launch.conf from REST API. I've been through the REST API documentation and still can't ...

by Communicator in

How can I create a Dashboard to display only those domain User Accounts for which the contents of a specific AD attribute has changed?

Specifically, if an AD user account attribute "employeeType" changes from "NULL" to "Contractor", how can I detect/fi...

by Path Finder in

How to configure props.conf for a Unix timestamp in a JSON log file?

All, I have a json log file we're bringing in. Its time is logged as: "start":"1461191869.576” Any ide...

by Builder in

Why am I unable to delete Splunk from an Ubuntu server?

I tried deleting Splunk completely from the Ubuntu server. I'm able to delete the splunk_home directory, but when I r...

by New Member in

REST api no results from sid

Splunk 6.1.0 (build 206881) Mac OSX input: curl -u admin:splunker -k https://localhost:8089/services/search/jobs -...

by Path Finder in

How to configure inputs.conf to monitor files which get created automatically after reaching a certain size?

I have file called console.log. When its size reaches to 512MB, another file gets created with the name console_serve...

by New Member in

I configured inputs.conf in Splunk free to monitor different app log files, but why am I unable to view the data in Splunk Web?

HI, I am new to Splunk. Apologies if the same question was asked earlier. I am posting here as I couldn't find th...

by New Member in

How can I use a unixtimestamp as a timerange filter like with earliest & latest in the first pipe?

Hi, my events have a field with epochtime which I want to use in the very first pipe to filter the search Of cours...

by Motivator in

Change tag permission via REST API (cURL)

I have a curl statement which is sent to the rest api of my search head to add some tags based upon some criteria, af...

by Communicator in

Find line number of search string in multiline event

I have multiline events and I need to identify which line number a search string appears in. Preferred would be a sol...

by Builder in

After rebuilding a Splunk server, is there way to centrally tell all my forwarders to resend all logs prior to the system going down?

Recently I had to rebuild our Splunk server. Luckily we had the config files so was able to get everything back up an...

by Engager in

Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

Hi I am having a strange issue where some of the message or 'EventData' is missing from the forwarded Windows even...

by New Member in

When I try to add or delete port 9997, why do I get the same "Error occurred attempting to remove 9997...Could not find config id for port"?

When I try deleting port 9997, I get the following problem: Error occurred attempting to remove 9997: In handler '...

by Explorer in

Why is Splunk indexing two hostnames when I only have one set in inputs.conf?

I am monitoring two files: /var/log/secure and /var/log/messages In the Data Summary Hosts tab, I have two hosts: ...

by Explorer in

Is it possible to prioritize what data is forwarded from a heavy forwarder? (ex: security data first, then non-security data)

Hi everybody, I'm new in Splunk, so be gentle, please. So that's the scenario: I have a Splunk Heavy forward...

by Influencer in

How to assess improvement in network utilization after turning on compression on a universal forwarder?

Hi, I'm wanting to assess the improvement in network utilization after turning on compression. Is there any search...

by Communicator in

How to send logs from a Kiwi syslog server to Splunk?

How to integrate Kiwi syslog server with Splunk? I mean what configuration changes are required to perform on the kiw...

by Explorer in

delta report for multiple hosts

I have the following log messages coming from syslog-ng Jun 14 10:32:04 sc4-cron.mcafeesecure.com syslog-ng[2775]:...

by Explorer in

Configuring inputs.conf to send data to specific Index

I have a Splunk setup defined like: Universal Forwarder ---->Heavy Forwarder ------>Indexer I need that all the lo...

by Path Finder in

When parsing JSON events, why does Splunk round nanoseconds timestamp to 'none' and uses the indexed time as _time?

I'm having real issues in parsing JSON events. I have a distributed Splunk setup and I have tested uploading the logs...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

What is the endpoint to access splunk-launch.conf via REST API?

How can I create a Dashboard to display only those domain User Accounts for which the contents of a specific AD attribute has changed?

How to configure props.conf for a Unix timestamp in a JSON log file?

Why am I unable to delete Splunk from an Ubuntu server?

REST api no results from sid

How to configure inputs.conf to monitor files which get created automatically after reaching a certain size?

I configured inputs.conf in Splunk free to monitor different app log files, but why am I unable to view the data in Splunk Web?

How can I use a unixtimestamp as a timerange filter like with earliest & latest in the first pipe?

Change tag permission via REST API (cURL)

Find line number of search string in multiline event

After rebuilding a Splunk server, is there way to centrally tell all my forwarders to resend all logs prior to the system going down?

Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

When I try to add or delete port 9997, why do I get the same "Error occurred attempting to remove 9997...Could not find config id for port"?

Why is Splunk indexing two hostnames when I only have one set in inputs.conf?

Is it possible to prioritize what data is forwarded from a heavy forwarder? (ex: security data first, then non-security data)

How to assess improvement in network utilization after turning on compression on a universal forwarder?

How to send logs from a Kiwi syslog server to Splunk?

delta report for multiple hosts

Configuring inputs.conf to send data to specific Index

When parsing JSON events, why does Splunk round nanoseconds timestamp to 'none' and uses the indexed time as _time?

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

JSON with escape character in field name

Has anyone tried sending alerts from Moogsoft to S...

Help with field extraction of CMD output like "net...

Why is event time different from server time?

Is it possible to have scheduled saved search usin...