Getting Data In

Discussions

Thread Info

Is Heavy Forwarder to Heavy Forwarder possible?

We have a relatively closed network in which we plan to collect logs from. This network resides on a larger "open" ne...

by Builder in

Parsing Windows DHCP Trace Logs using HF -> Indexer -> SH

OK, I've been looking at collecting and parsing the Windows DHCP Trace Logs and after reviewing several forum posts a...

by Builder in

external script in commands.conf to create key/value pair

I've created a script that, when called from the search bar using: |script foo.py | outputtext it outputs a ta...

by Contributor in

Sending monitoring information from .NET application

Hi Everyone, I'm looking into finding a solution to monitor business parameters that are managed appreciatively in...

by New Member in

HttpEventCollectorTraceListener doesn't flush

I'm using the HttpEventCollectorTraceListener and originally my code looked like this: using System; using System....

by Explorer in

How to configure Props.conf and Transforms.conf for a sourcetype on my heavy forwarder to only send messages containing 'warning' to my indexer?

I am trying to alter how much data I am getting from my universal forwarder. The configuration I have is UF -> HF -> ...

by Path Finder in

On what Splunk instance should my FIELDALIAS configurations go?

Hi, I am processing Bluecoat logs on a heavy forwarder. I'm trying to set up some fields using FIELDALIAS, but the...

by Champion in

Properly Extract Time from custom Data Set

Hello, I have the follow data set comprised of custom weblog output: 2015-08-08 12:40:03:163 UserID="37" userGroup...

by Contributor in

How do I delete an index?

Hi I would like to delete an index. This will be my first time, so I do not want to do to much harm. -Is there...

by Path Finder in

Splunk archive app: need advice on script to cleanup Hadoop data

We are now using Splunk archiving. I understand that there is no mechanism to delete the Hadoop Splunk data that has ...

by Path Finder in

SplunkForwarder RPM Installer - Hostname determination

We added SplunkForwarder RPM with a script to install the agent on all our Redhat kickstarts. The problem is that the...

by Builder in

How to assign a custom sourcetype for a data stream flowing via API calls?

I have data being streamed into Splunk using the Python SDK API call. Works perfectly fine using one of the built in ...

by Explorer in

Is there any history of the apps downloaded to my universal forwarders from my deployment server?

by Motivator in

Why is the size of one of our indexes decreasing instead of increasing?

In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current si...

by Builder in

Timestamp configuration does not pull the correct timestamp

I am importing cisco logs that have two timestamps with different formats. Unfortunately, configuration set in props...

by Explorer in

Does a universal forwarder ever read props.conf?

Hi, Does a UFW ever read a props.conf file? Is there any reason to put a props.conf on a UFW system?

by Champion in

Why is my sourcetype not parsing as CSV and am getting two events: one with a header and one with a raw event?

I'm trying to parse a CSV file, but I'm getting two events: one with a header and one with a raw event. It is driving...

by Explorer in

Are there alternatives to log Isilon SMB activity in Splunk?

We are trying to use splunk to log our Isilon SMB activity. However it does not seem like the TA for CEE server will ...

by Explorer in

Cron schedule stuck on initial user timezone.

Hi there, I made the mistake of configuring some alert under the admin user before I'd set it's timezone. Now the ...

by Path Finder in

Why is my Splunk universal forwarder monitor hostname key not working?

Splunk Forwarder monitor hostname key is not working. Amazon Linux AMI release 2015.03 3.14.48-33.39.amzn1.x86_64 ...

by Explorer in

Is there a way to ingest data from Google Webmaster Tools or the Prerender Admin Console

Trying to find ways to get this data in. AS of yet I have not found anything but I was thinking maybe some sort of sc...

by Builder in

Why is this props.conf not stripping headers for bro logs?

Am I missing something? My understanding of splunk 6 is that the following configuration should strip all lines begin...

by Engager in

Problem with Line breaking between Splunk 6.2.3 vs 6.3.0

We have a development environment (replica of prod) running Splunk 6.2.3 (upgraded from 6.1.5). I am testing monitori...

by Communicator in

Is there a way to reverse the action of "splunk add oneshot" on a specific input file?

Our Splunk forwarder has missed one file (1 hour worth of logs) for some reason, so I used oneshot to load the missin...

by New Member in

How does universal forwarder load balancing work?

Given this in outputs.conf: [tcpout: my_LB_indexers] server=10.10.10.1:9997,10.10.10.2:9996,10.10.10.3:9995 It...

by New Member in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Is Heavy Forwarder to Heavy Forwarder possible?

Parsing Windows DHCP Trace Logs using HF -> Indexer -> SH

external script in commands.conf to create key/value pair

Sending monitoring information from .NET application

HttpEventCollectorTraceListener doesn't flush

How to configure Props.conf and Transforms.conf for a sourcetype on my heavy forwarder to only send messages containing 'warning' to my indexer?

On what Splunk instance should my FIELDALIAS configurations go?

Properly Extract Time from custom Data Set

How do I delete an index?

Splunk archive app: need advice on script to cleanup Hadoop data

SplunkForwarder RPM Installer - Hostname determination

How to assign a custom sourcetype for a data stream flowing via API calls?

Is there any history of the apps downloaded to my universal forwarders from my deployment server?

Why is the size of one of our indexes decreasing instead of increasing?

Timestamp configuration does not pull the correct timestamp

Does a universal forwarder ever read props.conf?

Why is my sourcetype not parsing as CSV and am getting two events: one with a header and one with a raw event?

Are there alternatives to log Isilon SMB activity in Splunk?

Cron schedule stuck on initial user timezone.

Why is my Splunk universal forwarder monitor hostname key not working?

Is there a way to ingest data from Google Webmaster Tools or the Prerender Admin Console

Why is this props.conf not stripping headers for bro logs?

Problem with Line breaking between Splunk 6.2.3 vs 6.3.0

Is there a way to reverse the action of "splunk add oneshot" on a specific input file?

How does universal forwarder load balancing work?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Bug in version 10.0.1 Data Inputs - Local event lo...

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Getting Data In

Are you a member of the Splunk Community?

Discussions