Getting Data In

Thread Info

Problem Removing Leading Zeros From IP Address

Splunk is indexing a CSV file that contains an IP address and it looks something like this: "Windows 7","SSHEFFIER...

by Path Finder in

Why does Splunk ask me to restart when I create a new index?

Hi everyone, I don't understand why, but when I create a new index, Splunk needs a restart. Do you have best pr...

by Path Finder in

How to add a new sourcetype to an existing index?

Hi, Sorry if my question is repeated. I have an index with sourcetype as 'firewall' and now I want to add one m...

by Path Finder in

What are suggested approaches/steps for Syslog to switch to another heavy forwarder when primary goes down?

Hi Splunkers, Kindly suggest any approach/steps for Syslog must Switch to another Splunk Heavy Forwarder autom...

by Contributor in

Monitoring two different paths in inputs.conf, why am I only getting logs from one path, but not the second path?

Hi the following is my inputs.conf [monitor:///opt/jboss/server/*/log/server.log] index = sit_2 sourcetype = log4...

by Builder in

How would I display all hosts with AND without events?

I'm trying to audit an environment based on Window's RDP event codes 21, 22, and 25. I'm able to display the number o...

by Explorer in

Searching events for a specific host, why are we getting results for 2 hosts: one upper case hostname and one lower case?

Hello, In our Splunk Enterprise, we have created a customized indexer. We are trying to get certain events of a sp...

by New Member in

After removing data using the delete command in a search, how do I reindex that data?

Hi, I have one delimited tab log file with a .txt extension. I pushed the data from from that log file to the Splu...

by Communicator in

How to delete indexed data for a particular date?

Hi, I index data on a daily basis. For indexing, I have made a monitoring path in inputs.conf, so once the file is...

by Path Finder in

Can I log in to Splunk Web from credentials entered on an external webpage?

I have a webpage where users enter their username and password to view their profile. I would like to include some co...

by Contributor in

How to dedup a field inside JSON arrays?

Hi guys, I'm working on some formulas to show percentages, right now trying to count % vendors affected by vulnera...

by Communicator in

How to delete event data from an indexer using the REST API?

Hi everyone, I have found similar questions and responses to this type of scenario, but I can’t seem to find a way...

by New Member in

Django bindings, header: appbar has no effect? (Splunk Enterprise 6.1)

I'm starting to experiment Splunk Web Framework. Following some tutorials, trying to tweak things here and there. One...

by Builder in

How to configure stanzas in inputs.conf to monitor two paths with the same folder names, but are case sensitive?

Hi All, I need to configure inputs.conf for the folder path below. Can we do it in one stanza, or do we need creat...

by Contributor in

How do I edit my props.conf to break multiline events?

Hello; I found a problem breaking multiline events in Splunk. I need to break events that have this format: Eve...

by Engager in

sourcetype naming scheme

What's a good sourcetype naming scheme in a large environment with numerous different applications using several tech...

by Explorer in

Is it possible to receive and forward logs using a Splunk universal forwarder on Linux?

Can you please help us? Is it possible to receive and forward logs using a Splunk universal forwarder? Because lo...

by Builder in

Why am I receiving these errors on startup of WAS Universal Forwarder

upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an exam...

by New Member in

Is there a way to use kv_mode=json and eliminate one level in spath?

Is there a way to use kv_mode=json and remove levels of nesting during indexing or later? Example: we jave some js...

by SplunkTrust in

What path do I use to add new files, images, and fonts to load on a dashboard?

Hi , I have custom fonts for my dashboard and added the same in my app in the below path. /opt/splunk/etc/apps/...

by Motivator in

Should we run Splunk Enterprise forwarders on Windows or Linux in our distributed search environment?

We are rebuilding our distributed search Splunk environment: 1 Deployment Server 1 Dedicated Search Head 1 License...

by Builder in

Can I use SED in configuration files?

Hi all, I am fairly new to Splunk and have been working on the following search time field extraction to grab wind...

by Engager in

How to configure indexes.conf to have indexed data deleted after 1 day or 24 hours?

Hi splunkers, I want to achieve 1 day retention for indexed data. How can I achieve this? I have a cluster setup w...

by Communicator in

How do I edit my code for a universal forwarder silent installation on Windows via CLI?

Hello, This is my code for installing and updating the UniversalForwarder via the command line. msiexec.exe /i ...

by New Member in

Is it possible to disable Load Balancing between Universal Forwarders and the Heavy Forwarder?

We have many systems with Universal Forwarders sending to a dedicated Heavy Forwarder. We would like to put a 3rd par...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Problem Removing Leading Zeros From IP Address

Why does Splunk ask me to restart when I create a new index?

How to add a new sourcetype to an existing index?

What are suggested approaches/steps for Syslog to switch to another heavy forwarder when primary goes down?

Monitoring two different paths in inputs.conf, why am I only getting logs from one path, but not the second path?

How would I display all hosts with AND without events?

Searching events for a specific host, why are we getting results for 2 hosts: one upper case hostname and one lower case?

After removing data using the delete command in a search, how do I reindex that data?

How to delete indexed data for a particular date?

Can I log in to Splunk Web from credentials entered on an external webpage?

How to dedup a field inside JSON arrays?

How to delete event data from an indexer using the REST API?

Django bindings, header: appbar has no effect? (Splunk Enterprise 6.1)

How to configure stanzas in inputs.conf to monitor two paths with the same folder names, but are case sensitive?

How do I edit my props.conf to break multiline events?

sourcetype naming scheme

Is it possible to receive and forward logs using a Splunk universal forwarder on Linux?

Why am I receiving these errors on startup of WAS Universal Forwarder

Is there a way to use kv_mode=json and eliminate one level in spath?

What path do I use to add new files, images, and fonts to load on a dashboard?

Should we run Splunk Enterprise forwarders on Windows or Linux in our distributed search environment?

Can I use SED in configuration files?

How to configure indexes.conf to have indexed data deleted after 1 day or 24 hours?

How do I edit my code for a universal forwarder silent installation on Windows via CLI?

Is it possible to disable Load Balancing between Universal Forwarders and the Heavy Forwarder?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions