Getting Data In

Thread Info

Input stanza path is not absolute.

How do I wildcard any windows drive letter in the inputs.conf stanza below? inputs.conf [monitor://[A-Z]:\Data\...

by Path Finder in

Is it possible to have a Splunk forwarder remove data from a monitored file after it has been successfully forwarded to an indexer?

I read somewhere this is possible, however I can't find where or how - looking for confirmation: Essentially I hav...

by Communicator in

How to tar splunkforwarder-6.2.4-271043-SunOS10-sparc.tar.z

I have downloaded the install file splunkforwarder-6.2.4-271043-SunOS10-sparc.tar.z for a server running solaris10. ...

by Engager in

How to query key values and draw timechart?

Here is the sample data. RED: 2086 GREEN: 1579 WHITE: 159 PINK: 348 ORANGE: 0

by New Member in

IIS data not parsing when input via TCP, but OK when input using "File & directories"

Hi. I'm brand new to using Splunk and just downloaded the Splunk Light trial. I've followed the tutorial video fo...

by New Member in

How to parse JSON log data?

I created an input in the _json format and send to it httpd access logs. I received such logs: Jul 14 14:35:44 172...

by Path Finder in

Are there adverse affects to having monitors for files that do not exist?

I have two platforms to monitor. I want to create one application that I can apply to all hosts that come on board. I...

by Builder in

Blacklisting directory not working - inputs.conf

inputs.conf [monitor:///home/foo/logs/*/app] whitelist = \.gmt.log$ blacklist = monitor disabled = false Under...

by Contributor in

Where does Splunk put custom source types created in Splunk Web?

I know that I can create custom source types by adding them to /etc/system/local/props.conf. However, I've created a ...

by Engager in

How to expand values for a field to multiple lines?

Hi, I have a field that I want to expand to multiple lines (it's email transactions), so I have a CSV of: sour...

by New Member in

If I have a Splunk forwarder installed on Box B, is there a way to monitor logs of Box A from Box B?

I want to monitor logs kept on a Linux box A, but I do not want to install a Splunk forwarder on box A. a Splunk forw...

by Path Finder in

can we modify a wrong timestamp?

the default _time are actually at the time of indexing. however my logs have another time string which i have to sepa...

by Communicator in

Props transforms.conf for source thats not playing nice

Hi All, I have been having significant trouble with one set of props/transforms for our environment. I have tried ...

by Path Finder in

Index large Json files

Hello, In our use of Splunk we have encountered several problems in JSON indexing that caused to upgrade our Splun...

by Explorer in

How would I develop and inject a custom output processor into the indexing pipeline?

I've found myself recently looking at the Pipelines in Splunk, through the How Indexing Works wiki page, or @amri...

by Influencer in

When I try to add Data Input, why do I get a blank screen with no options to proceed?

When I try to add Data Input, a blank screen appears. It s not moving forward and gives me no option to proceed.

by Explorer in

Tracking down an input going to a bad index

Just had this pop up; there is only one instance of it in the notification area, but the time stamp keeps advancing, ...

by Contributor in

Splunk not reconignizing DNS name

The VM server is using the local name to bind to the application interface, thus data is being sent over on eth1-0, a...

by New Member in

Logs Not Being Indexed

I'm fairly new to Splunk and I can't figure out how to get Splunk to index my logs. I have configured my WebSense dev...

by Explorer in

How to view data retention settings in Splunk

Was wondering how I can view my data retention settings in Splunk. Installation is on a Linux platform.

by Engager in

How to send lines to the nullQueue before applying line breaking

An app of ours spits such a huge volume of data when our Devs increase its debug level to Trace that it essentially r...

by Builder in

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs: security.log...

by Communicator in

Is there a way to monitor Splunk knowledge object permissions?

I am trying to generate report daily to monitor changes in knowledge objects (changes in permissions/new artifacts cr...

by Contributor in

Comparing a field value with an entire column or CSV

I have been searching for how to do this for the longest time and it's rather frustrating that I can't seem to find a...

by Explorer in

Heavy forwarder stops forwarding when tcp syslog mirror destination fails?

Hi, I am successfully mirroring a filtered set of events at a heavy forwarder and sending them to a local TCP Syslog ...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Input stanza path is not absolute.

Is it possible to have a Splunk forwarder remove data from a monitored file after it has been successfully forwarded to an indexer?

How to tar splunkforwarder-6.2.4-271043-SunOS10-sparc.tar.z

How to query key values and draw timechart?

IIS data not parsing when input via TCP, but OK when input using "File & directories"

How to parse JSON log data?

Are there adverse affects to having monitors for files that do not exist?

Blacklisting directory not working - inputs.conf

Where does Splunk put custom source types created in Splunk Web?

How to expand values for a field to multiple lines?

If I have a Splunk forwarder installed on Box B, is there a way to monitor logs of Box A from Box B?

can we modify a wrong timestamp?

Props transforms.conf for source thats not playing nice

Index large Json files

How would I develop and inject a custom output processor into the indexing pipeline?

When I try to add Data Input, why do I get a blank screen with no options to proceed?

Tracking down an input going to a bad index

Splunk not reconignizing DNS name

Logs Not Being Indexed

How to view data retention settings in Splunk

How to send lines to the nullQueue before applying line breaking

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Is there a way to monitor Splunk knowledge object permissions?

Comparing a field value with an entire column or CSV

Heavy forwarder stops forwarding when tcp syslog mirror destination fails?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions