Getting Data In

Ask a Question

Discussions

Thread Info

How to edit a props.conf for an aribitrary source?

Where do I go & how should I do it? I know what to change, [$sourcetype] MAX_EVENT = 100000 I would appreci...

by Explorer in

lookup tables: 2 sources fileds aliased to match 1 lookupfield

I have some very large lookup tables for known bad domains.(4m+ entries) the lookup has a field called 'kap_chk' ...

by Path Finder in

How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Hi, I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sou...

by Explorer in

How to find events with duplicate field

Our application had a defect in a logging interceptor that led to a field being duplicated in an event but where both...

by New Member in

How to monitor two paths in the inputs.conf under one sourcetype

In my inputs.conf file, I have an entry for a sourcetype that I want to change. Currently, it monitors the path: /...

by Communicator in

Why my data go in the wrong Index ?

I have configured Windows logs input to a certain index Index_test_03, but very few data - tens - go there. Most of t...

by Builder in

How to parse JSON array using spath or any other option

Below is the log: qCode="SOME_CODE", qValue="[{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"2",...

by New Member in

line breaking...

Hi, I'm stumped. I've been playing with the linebreaking trying to get the format properly, and it won't work. The...

by Champion in

Duplicate GUIDS for standalone indexers, how can I safely correct this?

Just noticed I have a duplicate GUID for two standalone, load balanced (via splunk conf, not F5) indexers. Can I just...

by Communicator in

Why does my json event data show duplicate fields?

In my screenshot, you can see my events have duplicate fields. I am trying to figure out why this is occurring. The s...

by Path Finder in

Why is my universal forwarder VM failing to forward data?

I set up a small network using virtualbox and I am now having trouble forwarding data to the host. The laptop I am us...

by Communicator in

How to exclude searching of certain indexers by role?

I have a shared search head used by different groups where those groups have set up their own indexers. They want to ...

by Contributor in

How do I stop forwarding the _audit index?

Hi, I'm trying to stop forwarding _audit index. I put in my outputs.conf the following lines: [tcpout] forwarde...

by Engager in

Extract field from source field then run a lookup - config error?

I want to add a field extracttion to props.conf that will extract a portion of the uri field to create a custom field...

by Path Finder in

Date stamp in directory name

How can I configure splunk to index or accept the datestamp in the name of directories? The events only have time sta...

by Path Finder in

regex/props.conf - How to set properly the entries in .conf files?

Hi, I extracted from the default source field, in search-time, a new field called 'domain': | rex field=source "^(...

by Contributor in

Is it normal behavior for Splunk to block queues and stop forwarding data when one of two remote ports is closed?

Hello, I use a Splunk heavy forwarder and I would like to send inputs to a remote a server. I have two channels...

by Engager in

Group CSV data results by two or more matching values?

I'm indexing a CSV that appears like the following in its raw form: Filenum,string 1,abc 2,defg 2,abc 3,xyz 3,abc ...

by Splunk Employee in

How to search a Multi line windows event

Hi, I'm trying to search a multiline event from a windows server. I need to find out which changes was made with a...

by Contributor in

Extracting domain names (mvindex?)

I get the feeling this is going to be a tough one to solve, but, I'm trying to aggregate results of a search based up...

by Contributor in

TimeFormat Error from a line in nullQueue

The transform works and filters out the the matching line from going into the index but I still get these errors: ...

by Explorer in

Apply a lookup only to events before a certain time

I need to apply a lookup only to events before a certain point in time (the data added by the lookup is now included ...

by Explorer in

Scheduled scans are not load balancing across cluster and crashing the Indexer they get sent to.

I have a cluster of 4 indexers. The search head sends scheduled scans which always end up draining resources on one ...

by Engager in

Query about fill summary index

I've tried to run this.. ./splunk cmd python fill_summary_index.py -app search -name "summary" -et 06/14/2015:08:0...

by Explorer in

After installing and configuring universal forwarders, why can't I see the data in the indexer?

I have a universal forwarder installed in a few servers and I also have added the logs to be monitored for each. I'm ...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to edit a props.conf for an aribitrary source?

lookup tables: 2 sources fileds aliased to match 1 lookupfield

How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

How to find events with duplicate field

How to monitor two paths in the inputs.conf under one sourcetype

Why my data go in the wrong Index ?

How to parse JSON array using spath or any other option

line breaking...

Duplicate GUIDS for standalone indexers, how can I safely correct this?

Why does my json event data show duplicate fields?

Why is my universal forwarder VM failing to forward data?

How to exclude searching of certain indexers by role?

How do I stop forwarding the _audit index?

Extract field from source field then run a lookup - config error?

Date stamp in directory name

regex/props.conf - How to set properly the entries in .conf files?

Is it normal behavior for Splunk to block queues and stop forwarding data when one of two remote ports is closed?

Group CSV data results by two or more matching values?

How to search a Multi line windows event

Extracting domain names (mvindex?)

TimeFormat Error from a line in nullQueue

Apply a lookup only to events before a certain time

Scheduled scans are not load balancing across cluster and crashing the Indexer they get sent to.

Query about fill summary index

After installing and configuring universal forwarders, why can't I see the data in the indexer?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Parsing Multimetric Logs

SC4S Syslog server update fails during download wi...

SplunkForwarder flooding splunkd.log with reconnec...

Event break multiline PowerShell Transcript Log

uberAgent

Getting Data In

Are you a member of the Splunk Community?

Discussions