Getting Data In

Discussions

Thread Info

Prepend all lines forwarded with a timestamp

Hi, We have an application log that doesn't contain timestamps, but we'd actually like to have them within the raw...

by Path Finder in

For WinEventLog://Security, how to use "renderXml=true" for some EventCodes but "renderXml=false" for others?

I know the "simplest" way is to stand up a second instance of Splunk and have completely different values for renderX...

by Esteemed Legend in

How to troubleshoot why an indexer is only receiving data from 50% of forwarders in my environment?

I spent hours trying to figure this out Friday, and it's been bugging me all weekend. So, I'm hoping the community ca...

by Path Finder in

Why is there a one hour difference between event timestamps and index time of my data?

Hi Splunksters, I am having an issue with the time the data is being indexed and the actual events being exactly o...

by Communicator in

How to delete data from syslog-ng after Splunk indexes it, and confirm the data is indexed before deletion?

Is there a way to have Splunk delete the data from a syslog-ng server after it indexes it? Would like to confirm that...

by Path Finder in

using the API to get graphs

Hello I would like to use the API to embed graphs to an external page. Is this at all possible? I looked at the ex...

by Communicator in

How do I configure an on-prem intermediate heavy forwarder to connect to an indexer in our own AWS Cloud environment?

I want to build an indexer, search head, and deployment server on our own (not Splunk's ) AWS VPC. The overall questi...

by New Member in

Possible typo in stanza in props.conf, line 2: AUTO_LINEMERGE = FALSE

I am getting this error with Splunk 5.0.4: Possible typo in stanza [sun_jvm] in /opt/splunk/etc/apps/myapp/default...

by Engager in

Is Heavy Forwarder to Heavy Forwarder possible?

We have a relatively closed network in which we plan to collect logs from. This network resides on a larger "open" ne...

by Builder in

Parsing Windows DHCP Trace Logs using HF -> Indexer -> SH

OK, I've been looking at collecting and parsing the Windows DHCP Trace Logs and after reviewing several forum posts a...

by Builder in

external script in commands.conf to create key/value pair

I've created a script that, when called from the search bar using: |script foo.py | outputtext it outputs a ta...

by Contributor in

Sending monitoring information from .NET application

Hi Everyone, I'm looking into finding a solution to monitor business parameters that are managed appreciatively in...

by New Member in

HttpEventCollectorTraceListener doesn't flush

I'm using the HttpEventCollectorTraceListener and originally my code looked like this: using System; using System....

by Explorer in

How to configure Props.conf and Transforms.conf for a sourcetype on my heavy forwarder to only send messages containing 'warning' to my indexer?

I am trying to alter how much data I am getting from my universal forwarder. The configuration I have is UF -> HF -> ...

by Path Finder in

On what Splunk instance should my FIELDALIAS configurations go?

Hi, I am processing Bluecoat logs on a heavy forwarder. I'm trying to set up some fields using FIELDALIAS, but the...

by Champion in

Properly Extract Time from custom Data Set

Hello, I have the follow data set comprised of custom weblog output: 2015-08-08 12:40:03:163 UserID="37" userGroup...

by Contributor in

How do I delete an index?

Hi I would like to delete an index. This will be my first time, so I do not want to do to much harm. -Is there...

by Path Finder in

Splunk archive app: need advice on script to cleanup Hadoop data

We are now using Splunk archiving. I understand that there is no mechanism to delete the Hadoop Splunk data that has ...

by Path Finder in

SplunkForwarder RPM Installer - Hostname determination

We added SplunkForwarder RPM with a script to install the agent on all our Redhat kickstarts. The problem is that the...

by Builder in

How to assign a custom sourcetype for a data stream flowing via API calls?

I have data being streamed into Splunk using the Python SDK API call. Works perfectly fine using one of the built in ...

by Explorer in

Is there any history of the apps downloaded to my universal forwarders from my deployment server?

by Motivator in

Why is the size of one of our indexes decreasing instead of increasing?

In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current si...

by Builder in

Timestamp configuration does not pull the correct timestamp

I am importing cisco logs that have two timestamps with different formats. Unfortunately, configuration set in props...

by Explorer in

Does a universal forwarder ever read props.conf?

Hi, Does a UFW ever read a props.conf file? Is there any reason to put a props.conf on a UFW system?

by Champion in

Why is my sourcetype not parsing as CSV and am getting two events: one with a header and one with a raw event?

I'm trying to parse a CSV file, but I'm getting two events: one with a header and one with a raw event. It is driving...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Prepend all lines forwarded with a timestamp

For WinEventLog://Security, how to use "renderXml=true" for some EventCodes but "renderXml=false" for others?

How to troubleshoot why an indexer is only receiving data from 50% of forwarders in my environment?

Why is there a one hour difference between event timestamps and index time of my data?

How to delete data from syslog-ng after Splunk indexes it, and confirm the data is indexed before deletion?

using the API to get graphs

How do I configure an on-prem intermediate heavy forwarder to connect to an indexer in our own AWS Cloud environment?

Possible typo in stanza in props.conf, line 2: AUTO_LINEMERGE = FALSE

Is Heavy Forwarder to Heavy Forwarder possible?

Parsing Windows DHCP Trace Logs using HF -> Indexer -> SH

external script in commands.conf to create key/value pair

Sending monitoring information from .NET application

HttpEventCollectorTraceListener doesn't flush

How to configure Props.conf and Transforms.conf for a sourcetype on my heavy forwarder to only send messages containing 'warning' to my indexer?

On what Splunk instance should my FIELDALIAS configurations go?

Properly Extract Time from custom Data Set

How do I delete an index?

Splunk archive app: need advice on script to cleanup Hadoop data

SplunkForwarder RPM Installer - Hostname determination

How to assign a custom sourcetype for a data stream flowing via API calls?

Is there any history of the apps downloaded to my universal forwarders from my deployment server?

Why is the size of one of our indexes decreasing instead of increasing?

Timestamp configuration does not pull the correct timestamp

Does a universal forwarder ever read props.conf?

Why is my sourcetype not parsing as CSV and am getting two events: one with a header and one with a raw event?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform

Edge Processor Destination not showing up in Pipel...

Palo alto Strata logging service logs

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...