Getting Data In

Discussions

Thread Info

Help to find daily indexed data size by each index

Need your help, Can you please tell us, how to find daily indexed data size by each index?

by Builder in

How do I know if my application is used on desktop vs mobile

Hi there I want to log information to understand if my application is heavily used on desktop or mobile or tablet..!!...

by New Member in

What is recommended to prevent broken multiline events that are caused by a delayed output from a command?

About The log file is overwritten each time, therefore the MUST_NOT_BREAK_AFTER in the current definition does wor...

by Contributor in

Heavy forwarders are not auto load-balancing evenly

I'm having a problem right now where I'm not seeing an even distribution across my indexers. I have 21 indexers (inde...

by Explorer in

Missing events from monitored logs

Hi all, We have realised recently that one of our application logs is missing a large number of events. This was e...

by Communicator in

After a Disaster Recovery switchover, why did Linux universal forwarders running Splunk 6.1.1 not pick up new logs in the monitored directory?

Hi all, Recently we performed a Disaster Recovery switchover. It was found out after the switchover that none of t...

by Communicator in

How do I change the NIC that Splunk Universal Forwarder uses to communicate?

I want to change the NIC that the Splunk Universal Forwarder communicates and sends data through if the server has mu...

by Explorer in

Why am I unable to forward Linux syslog to my Splunk indexer with my current configuration?

Hi, I'm trying to forward /var/log/anaconda/syslog from my linux machine to my splunk indexer, but it's not comin...

by Explorer in

如何区分日志的每一条记录

1、日志是以时间开头的，比如：00:11:12:471，也就是当天零点11分12秒471毫秒，可是，splunk识别的时间为15/06/11 2:00 00 000 该怎么办？ 2、如下的一行，事实上不是一条新的记录，只是上一条...

by New Member in

matching value of two fields csv file with some value and return value of third field

Hi, My requirement is to match two fields of csv file and get value of third field. I have student name and roll n...

by Communicator in

Why running "splunk enable boot-start" did not start the indexing of my log data?

Splunk was installed and run as root. I did a "splunk enable boot-start" which created a /etc/init.d/splunk script. U...

by Path Finder in

Upgraded Windows Domain Controllers from 2008 R2 to 2012 R2, why are 6.2.2 and 6.2.3 universal forwarders not forwarding Security Event Logs?

My Help Desk relies upon using the Splunk server to assist with identifying the source machine or BYOD for account lo...

by Explorer in

How do I edit my props.conf for proper timestamp format of my sample data?

Hi, I need to setup a props for an event with the following format. Not certain what to put for "Z" (or if it's ne...

by Champion in

How do I cluster a new index server with my production index server?

I have one indexer and would like to add another indexer for redundancy. Is it possible to cluster the two together a...

by Communicator in

How to parse the date_time and event_time fields from my raw data in PSV format?

hi, i have some mainframe logs coming into splunk which is in PSV (pipe separated value) format. have managed to p...

by Path Finder in

After making a change to props.conf TIME_FORMAT and SHOULD_LINEMERGE attributes, do I restart splunkd on my deployment server or indexer?

After making a change to my props.conf TIME_FORMAT and SHOULD_LINEMERGE attribute (multiple events started merging to...

by Communicator in

How to push inputs.conf changes to multiple universal forwarders in my Splunk environment without editing each individual machine?

I am getting to the point where I have quite a few Universal Forwarders in my Splunk infrastructure. I was wondering ...

by Path Finder in

Why is a props.conf change on a universal forwarder not being applied in a multisite Splunk 6.2.0 indexer clustering environment?

I have a Splunk 6.2.0 multisite cluster setup. Per site, there is one indexer, one search head and a master. I am pul...

by Engager in

Splunk Checkpoint FW grabber collecting more logs than the one of the logserver

I have a strange case where we see more logs in Splunk from the Checkpoint App than the ones in the Checkpoint log se...

by Motivator in

Changed outputs.conf, but why is my Universal Forwarder still sending to the old server, even after a restart?

I've changed the outputs.conf file on my Universal Forwarder to direct to a different server, and restarted the servi...

by Path Finder in

How to monitor the Internet Explorer Process in Splunk?

Hello, For security reasons, I have to monitor processes, especially the IExplore Process. Open connections are im...

by Explorer in

How can i automate indexing of logs to splunk web?

Hi everyone, My everyday process is to upload logs to splunk web and take a report and analyse it. So in this, ...

by Path Finder in

What would cause a blocked queue on an ec2 host and is there any tuning that can solve and prevent this issue?

We have ~50 hosts that are placed on various locations outside our data center. To receive logs from these hosts we h...

by Engager in

Running scripts from indexer to linux forwarder

I am trying to set up searchable scripts however when i am on my indexer and go to add data and select forwarders it ...

by Explorer in

Is it possible to use a Universal Forwarder to write logs directly to HDFS?

Hi, I installed and configured Hunk to read data from HDFS. I'm trying to use Universal Forwarder to write dire...

by New Member in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Help to find daily indexed data size by each index

How do I know if my application is used on desktop vs mobile

What is recommended to prevent broken multiline events that are caused by a delayed output from a command?

Heavy forwarders are not auto load-balancing evenly

Missing events from monitored logs

After a Disaster Recovery switchover, why did Linux universal forwarders running Splunk 6.1.1 not pick up new logs in the monitored directory?

How do I change the NIC that Splunk Universal Forwarder uses to communicate?

Why am I unable to forward Linux syslog to my Splunk indexer with my current configuration?

如何区分日志的每一条记录

matching value of two fields csv file with some value and return value of third field

Why running "splunk enable boot-start" did not start the indexing of my log data?

Upgraded Windows Domain Controllers from 2008 R2 to 2012 R2, why are 6.2.2 and 6.2.3 universal forwarders not forwarding Security Event Logs?

How do I edit my props.conf for proper timestamp format of my sample data?

How do I cluster a new index server with my production index server?

How to parse the date_time and event_time fields from my raw data in PSV format?

After making a change to props.conf TIME_FORMAT and SHOULD_LINEMERGE attributes, do I restart splunkd on my deployment server or indexer?

How to push inputs.conf changes to multiple universal forwarders in my Splunk environment without editing each individual machine?

Why is a props.conf change on a universal forwarder not being applied in a multisite Splunk 6.2.0 indexer clustering environment?

Splunk Checkpoint FW grabber collecting more logs than the one of the logserver

Changed outputs.conf, but why is my Universal Forwarder still sending to the old server, even after a restart?

How to monitor the Internet Explorer Process in Splunk?

How can i automate indexing of logs to splunk web?

What would cause a blocked queue on an ec2 host and is there any tuning that can solve and prevent this issue?

Running scripts from indexer to linux forwarder

Is it possible to use a Universal Forwarder to write logs directly to HDFS?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

No such file or directory: 'java' adding JMX acco...

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

Configuring Splunk OTel Collector for Linux/Window...

Upload failed with ERROR: Read Timeout

DB Connect SQL Procedures