Getting Data In

Start a Conversation

Discussions

Start a Conversation

Thread Info

Huge disk space discrepancy on indexers in cluster

Some background: So we are having some problems in our environment, we have a cluster of indexers and some of the ...

by Explorer in

Why did setting "maxDataSize = auto_high_volume" for an index delete all events older than a year?

I originally had this in my indexes.conf file: [myindex] homePath = $SPLUNK_DB/myindex/db coldPath = $SPLUNK_DB/my...

by Communicator in

How to find the time difference between values in the same field

Hi all, I have a field that i am calling "code_load_date" and I am running a stats command that groups them by associ...

by Path Finder in

Monitor syslog Inputs

I currently have a syslog server forwarding data to our splunk instance. I wanted to know if there were any searches ...

by Path Finder in

What is the best way to fork events into a new sourcetype that will eventually become the only sourcetype?

Basically, I want to have ONE log file populating TWO sourcetypes at the same time. Identical events in both. Eventua...

by Builder in

How do I tell if a forwarder is down?

How can you differentiate between a forwarder being down and a forwarder not having any data to send ? i.e is there a...

by Path Finder in

sending WinEventLog://Application to different indexes

I have the following requirement: <ul> <li> send WinEventLog://Application , except for one specific EventCode to one...

by Path Finder in

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?

As the question above states; Since the 6.2.1 update of Splunk, our active directory inputs are no longer gatherin...

by Communicator in

Can't seem to figure out wildcards when monitoring files (inputs.conf)

I've been messing about with this for a while now and I can't seem to figure out the rhyme or reason behind how wildc...

by Communicator in

ERROR ScriptRunner

Any idea as to what causes this error: 02-19-2014 17:17:01.577 -0500 ERROR ScriptRunner - extern write error: errn...

by Engager in

Can i tcpout to multiple servers with output.conf file?

Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 inde...

by Path Finder in

Unable to forward syslogs coming in from UDP:514

Here is my setup on my Heavy Forwarder inputs.conf [udp://:514] sourcetype = syslog connection_host = ip disab...

by Explorer in

how to view data based on different time zone?

Hi, my splunk log is falling as charlotte time. when people from dubai or London or Denver viewwing the report....

by Explorer in

How to configure props.conf to set specific Datetime-configs on specific sources/sourcetypes from specific hosts?

I have an issue with two servers with WebSphere logs that have an overriding different timezone setting in the jvm. O...

by Communicator in

How to troubleshoot error "forwarding to indexer group default-autolb group blocked for N seconds"?

hello We have a Linux server running Splunk forwarder which forwards to one of two heavy forwarders in an autolb ...

by Path Finder in

Why does my Splunk universal forwarder monitor stop processing files the next day after they roll over?

Hi, I have a Splunk Universal Forwarder running on Windows 2012, monitoring a bunch of files in different folders....

by Champion in

How to access saved search artifacts from last Monday via REST API?

Let's say Splunk keeps the last job artifacts from an accelerated search which spans the last 7 days. What's the s...

by Builder in

Converting local apps into deployment apps, will forwarders start sending data that has already been indexed?

I have a handful of forwarders which have locally-configured apps on them, and I want to start converting those into ...

by New Member in

Is the Splunk 6.3 universal forwarder using 90% of your CPUs?

I'm not sure how long it has been happening, but I began to see it across our UFs today.

by Motivator in

Hard limit on whitelist for deployment server

Hello, Is there a hard limit on the number of servers you can have per whitelist class Seems I cant add more the...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Huge disk space discrepancy on indexers in cluster

Why did setting "maxDataSize = auto_high_volume" for an index delete all events older than a year?

How to find the time difference between values in the same field

Monitor syslog Inputs

What is the best way to fork events into a new sourcetype that will eventually become the only sourcetype?

How do I tell if a forwarder is down?

sending WinEventLog://Application to different indexes

Active Directory inputs missing SYNC event types after 6.2.1 upgrade?

Can't seem to figure out wildcards when monitoring files (inputs.conf)

ERROR ScriptRunner

Can i tcpout to multiple servers with output.conf file?

Unable to forward syslogs coming in from UDP:514

how to view data based on different time zone?

How to configure props.conf to set specific Datetime-configs on specific sources/sourcetypes from specific hosts?

How to troubleshoot error "forwarding to indexer group default-autolb group blocked for N seconds"?

Why does my Splunk universal forwarder monitor stop processing files the next day after they roll over?

How to access saved search artifacts from last Monday via REST API?

Converting local apps into deployment apps, will forwarders start sending data that has already been indexed?

Is the Splunk 6.3 universal forwarder using 90% of your CPUs?

Hard limit on whitelist for deployment server

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor

why i get error that “could not load lookup xxx” w...

Do we have a Splunk script that will tell us the t...

Documentation for AWS app for S3

Why are Splunk some logs missing from kiwi syslog?

Get Blob Data W/O Key or SAS Token (use service ac...