Getting Data In

Thread Info

In Splunk Cloud, how do I delete data?

For example, I want to run a query: host="localhost" | delete But I am given the error: "Error in 'delete' com...

by Explorer in

"Reindex" data on new indexer

We are about to transition from using Windows servers to run Splunk to using Linux servers. On the day we make the sw...

by Builder in

How can I use a universal forwarder to send log files in specific directory to ArcSight?

I am already sending *.debug syslog data to an ArcSight connector in rsyslog.conf. Now they want to monitor some appl...

by Explorer in

How can I get a list of subdirectories from a virtual index without having to retrieve events?

The metadata command does not work for virtual indexes used by Hunk. My goal is to get a list of values from items...

by Engager in

If I installed a universal forwarder with a local system account, is it possible to change to a domain account without uninstalling the forwarder?

Hi , I have installed a Universal Forwarder with a local system account, but now I want to make it in a domain acc...

by Path Finder in

How to tell Splunk which fields are numbers in an uploaded .txt file?

Hi, I've create a sourcetype for uploading .txt files and use the headers as field names. Currently, all values ar...

by Motivator in

Is it possible to forward logs to an indexer from a mapped drive using a universal forwarder?

Hi, I have installed the Splunk universal forwarder on my machine and I have also mapped on the remote server to t...

by Path Finder in

Why does splunk adds a Timestamp to _raw if there already is a valid one.

Hello, I have the following problem and I don't really know where to look next in order to find the issue. I ...

by Path Finder in

Splunk インストール時にLocal Userをother userに設定できない

Splunkインストールについて教えてください。 [質問内容] ・インストール時にLocal Userをother userに設定できるのか？ ・SplunkサービスはPCのローカルユーザーはサポートされているのか？ [環...

by Explorer in

How to specify a specific field to use as time field while indexing json data

I need to know how to specify to Splunk to pick a particular field in the data as Time while indexing the data. My da...

by Path Finder in

How do we ingest data from Jive into Splunk for analysis.

Whats the process to ingest data from Jive to Splunk for data analysis. Are there any add-on or apps available. Also ...

by Splunk Employee in

Can props.conf and indexes.conf be split for more clear structure?

Hi, as mentioned in the title I'm wondering, if the props.conf or indexes.conf can be split for a more clear structur...

by Path Finder in

What is the suggested amount of space needed in the Splunk syslog server to collect logs from 700-1000 network devices?

I am working on a Splunk project for collecting syslogs from the company network devices, so now I want to implement ...

by Path Finder in

Is it possible to change the current port (8089) of communication between the forwarder and the deployment server?

Hi, I would like to know if it is possible to change the port of communication between the forwarder and its deplo...

by Communicator in

Heavy Forwarder Pulling Windows events: blacklist not working

Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder. my inputs.conf is: [s...

by Explorer in

Index time props and transforms not working

I have the following props & transforms in splunk dev and prod environment monitoring the same set of iis logs: pr...

by Splunk Employee in

Why is my application log not getting created after we installed a universal forwarder?

Hi , We have installed one third party tool in our server and we wanted to forward those tool logs to a Splunk ind...

by Path Finder in

TenableSC Modular Input error

I have never been able to get the TenableSC Modular Input to work. I get the following error: <error><message>Erro...

by Engager in

After upgrading to Splunk 6.2.2 from 6.0.1, why do Windows event logs now show users as "NOT_TRANSLATED"?

I use Splunk in order to get Local Event Log Collection. I get Windows Printer - Operational with version 6.0.1 th...

by Explorer in

Can I specify multiple parameters in a props stanza?

I am not sure if I can do this and it may be a problem with the host as we are looking into that as well. I have a ho...

by Path Finder in

line breaking partial success

I'm trying to bring in some custom source log files and initially no line breaking was occurring so all of the events...

by Splunk Employee in

How to edit my props and transforms to route data to an index based on host?

I've searched Splunk Answers and Googledom with no luck, leaving me to possibly repeat the same question as others ma...

by Explorer in

How to allocate identical timestamps from multiple lines to separate columns using dedup?

Hi Splunk heads, I'm hoping someone might have the answer to this little issue I am facing. I have a problem wi...

by Path Finder in

Splunk takes long time to start

I've got a newly installed Indexer on RHEL 6.6. It isn't indexing any data. When I restart the Splunk instance with "...

by Path Finder in

How to configure SEDCMD in props.conf to delete XML event content at index-time?

Hi all - I have content in XML events I'm indexing that I don't want: <?xml version="1.0" encoding="UTF-8"?> ...

by Contributor in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

In Splunk Cloud, how do I delete data?

"Reindex" data on new indexer

How can I use a universal forwarder to send log files in specific directory to ArcSight?

How can I get a list of subdirectories from a virtual index without having to retrieve events?

If I installed a universal forwarder with a local system account, is it possible to change to a domain account without uninstalling the forwarder?

How to tell Splunk which fields are numbers in an uploaded .txt file?

Is it possible to forward logs to an indexer from a mapped drive using a universal forwarder?

Why does splunk adds a Timestamp to _raw if there already is a valid one.

Splunk インストール時にLocal Userをother userに設定できない

How to specify a specific field to use as time field while indexing json data

How do we ingest data from Jive into Splunk for analysis.

Can props.conf and indexes.conf be split for more clear structure?

What is the suggested amount of space needed in the Splunk syslog server to collect logs from 700-1000 network devices?

Is it possible to change the current port (8089) of communication between the forwarder and the deployment server?

Heavy Forwarder Pulling Windows events: blacklist not working

Index time props and transforms not working

Why is my application log not getting created after we installed a universal forwarder?

TenableSC Modular Input error

After upgrading to Splunk 6.2.2 from 6.0.1, why do Windows event logs now show users as "NOT_TRANSLATED"?

Can I specify multiple parameters in a props stanza?

line breaking partial success

How to edit my props and transforms to route data to an index based on host?

How to allocate identical timestamps from multiple lines to separate columns using dedup?

Splunk takes long time to start

How to configure SEDCMD in props.conf to delete XML event content at index-time?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions