Getting Data In

Thread Info

Monitoring two different paths in inputs.conf, why am I only getting logs from one path, but not the second path?

Hi the following is my inputs.conf [monitor:///opt/jboss/server/*/log/server.log] index = sit_2 sourcetype = log4...

by Builder in

How would I display all hosts with AND without events?

I'm trying to audit an environment based on Window's RDP event codes 21, 22, and 25. I'm able to display the number o...

by Explorer in

Searching events for a specific host, why are we getting results for 2 hosts: one upper case hostname and one lower case?

Hello, In our Splunk Enterprise, we have created a customized indexer. We are trying to get certain events of a sp...

by New Member in

After removing data using the delete command in a search, how do I reindex that data?

Hi, I have one delimited tab log file with a .txt extension. I pushed the data from from that log file to the Splu...

by Communicator in

How to delete indexed data for a particular date?

Hi, I index data on a daily basis. For indexing, I have made a monitoring path in inputs.conf, so once the file is...

by Path Finder in

Can I log in to Splunk Web from credentials entered on an external webpage?

I have a webpage where users enter their username and password to view their profile. I would like to include some co...

by Contributor in

How to dedup a field inside JSON arrays?

Hi guys, I'm working on some formulas to show percentages, right now trying to count % vendors affected by vulnera...

by Communicator in

How to delete event data from an indexer using the REST API?

Hi everyone, I have found similar questions and responses to this type of scenario, but I can’t seem to find a way...

by New Member in

Django bindings, header: appbar has no effect? (Splunk Enterprise 6.1)

I'm starting to experiment Splunk Web Framework. Following some tutorials, trying to tweak things here and there. One...

by Builder in

How to configure stanzas in inputs.conf to monitor two paths with the same folder names, but are case sensitive?

Hi All, I need to configure inputs.conf for the folder path below. Can we do it in one stanza, or do we need creat...

by Contributor in

How do I edit my props.conf to break multiline events?

Hello; I found a problem breaking multiline events in Splunk. I need to break events that have this format: Eve...

by Engager in

sourcetype naming scheme

What's a good sourcetype naming scheme in a large environment with numerous different applications using several tech...

by Explorer in

Is it possible to receive and forward logs using a Splunk universal forwarder on Linux?

Can you please help us? Is it possible to receive and forward logs using a Splunk universal forwarder? Because lo...

by Builder in

Why am I receiving these errors on startup of WAS Universal Forwarder

upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an exam...

by New Member in

Is there a way to use kv_mode=json and eliminate one level in spath?

Is there a way to use kv_mode=json and remove levels of nesting during indexing or later? Example: we jave some js...

by SplunkTrust in

What path do I use to add new files, images, and fonts to load on a dashboard?

Hi , I have custom fonts for my dashboard and added the same in my app in the below path. /opt/splunk/etc/apps/...

by Motivator in

Should we run Splunk Enterprise forwarders on Windows or Linux in our distributed search environment?

We are rebuilding our distributed search Splunk environment: 1 Deployment Server 1 Dedicated Search Head 1 License...

by Builder in

Can I use SED in configuration files?

Hi all, I am fairly new to Splunk and have been working on the following search time field extraction to grab wind...

by Engager in

How to configure indexes.conf to have indexed data deleted after 1 day or 24 hours?

Hi splunkers, I want to achieve 1 day retention for indexed data. How can I achieve this? I have a cluster setup w...

by Communicator in

How do I edit my code for a universal forwarder silent installation on Windows via CLI?

Hello, This is my code for installing and updating the UniversalForwarder via the command line. msiexec.exe /i ...

by New Member in

Is it possible to disable Load Balancing between Universal Forwarders and the Heavy Forwarder?

We have many systems with Universal Forwarders sending to a dedicated Heavy Forwarder. We would like to put a 3rd par...

by Explorer in

Can I take one IP with two different sets of logs (DNS and DHCP) and import that into two different sourcetypes?

So, here's my admittedly dumb situation. I have an IPAM appliance(s) that does both DNS and DHCP. The output port for...

by Engager in

Why does Splunk 6.1.2 forwarder on an AIX 7.1 machine keep crashing?

I have a AIX 7.1 machine setup as a forwarder running Splunk 6.1.2. Splunk keeps crashing almost and I need help to f...

by Explorer in

How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs?

Recently my Windows Universal Forwarder stopped forwarding Windows application event log messages to my indexer. Seem...

by Communicator in

How do you replace ip address with name?

We're looking to substitute the host field, which is an IP address, with the device name that corresponds to the IP a...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Monitoring two different paths in inputs.conf, why am I only getting logs from one path, but not the second path?

How would I display all hosts with AND without events?

Searching events for a specific host, why are we getting results for 2 hosts: one upper case hostname and one lower case?

After removing data using the delete command in a search, how do I reindex that data?

How to delete indexed data for a particular date?

Can I log in to Splunk Web from credentials entered on an external webpage?

How to dedup a field inside JSON arrays?

How to delete event data from an indexer using the REST API?

Django bindings, header: appbar has no effect? (Splunk Enterprise 6.1)

How to configure stanzas in inputs.conf to monitor two paths with the same folder names, but are case sensitive?

How do I edit my props.conf to break multiline events?

sourcetype naming scheme

Is it possible to receive and forward logs using a Splunk universal forwarder on Linux?

Why am I receiving these errors on startup of WAS Universal Forwarder

Is there a way to use kv_mode=json and eliminate one level in spath?

What path do I use to add new files, images, and fonts to load on a dashboard?

Should we run Splunk Enterprise forwarders on Windows or Linux in our distributed search environment?

Can I use SED in configuration files?

How to configure indexes.conf to have indexed data deleted after 1 day or 24 hours?

How do I edit my code for a universal forwarder silent installation on Windows via CLI?

Is it possible to disable Load Balancing between Universal Forwarders and the Heavy Forwarder?

Can I take one IP with two different sets of logs (DNS and DHCP) and import that into two different sourcetypes?

Why does Splunk 6.1.2 forwarder on an AIX 7.1 machine keep crashing?

How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs?

How do you replace ip address with name?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions