Getting Data In

Thread Info

What log4j ConversionPattern should I use to match splunk log4j sourcetype?

I have a webapp running in Tomcat. I'm using Log4j for my logging, and whenever I load the .log file in Splunk it is ...

by Engager in

Asteriks and inputs.conf

Hello, I have the following path /foo/bar[1-n]/logs/ I have several bar folders (bar1,bar2 ... bar1337 ) and insid...

by New Member in

How to send syslog data to a specific index based on a string in the log?

I have syslog data coming to a distributed environment. I am trying to send the data to a specific index based on a s...

by Communicator in

How do you request customer_identifier_all_forwarder_outputs.zip?

Does anyone know how to re-trigger the "Welcome to Splunk!" e-mail referenced in this documentation? http://docs.splu...

by Explorer in

GUI not showing all field extractions from props.conf

When I add search time Extractions directly to /opt/splunk/etc/apps/search/local/props.conf they will be used at sear...

by Communicator in

How to troubleshoot why 1 of 2 files is no longer getting indexed after updating glibc and restarting our heavy forwarders using Splunk 5.0.11?

Hi. This is regarding Splunk 5.0.11 Universal Forwarder and Heavy Forwarder. We rebooted 2 Heavy Forwarders today ...

by Path Finder in

Event filtering is not working as expected... what's missing?

I am pulling my hair off on this one. I am trying to remove from the windows firewall logs all the IPv6 link local an...

by Path Finder in

How to blacklist files in my data input where the filename has a .bin extension?

I have a directory with filenames like the ones below and want to blacklist the files in my data input where the file...

by New Member in

Splunk DB Connect: Why can't I get java bridge to run after configuring splunkd to use SSL with syntax copied from the release notes?

After configuring splunkd to use SSL, with /etc/system/local/server.conf [sslConfig] enableSplunkdSSL = true s...

by Explorer in

MultiLine Event- How to Ignore/Drop Specific Events

Hi, I have a multi line flat file where I want to ignore/drop specifc events. I'm using the Universial Forwarder, ...

by Contributor in

[RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log

I have Splunk Universal Forwarders on 4 Windows 2012R2 servers, monitoring the DHCP server logs with this stanza: ...

by Contributor in

How to use fields from different source types in the same search?

Hi all, I am looking to try and figure out how to compose a query that has information I need in two distinct sour...

by New Member in

Is thawedPath in indexes.conf recommended?

Hi Splunkers, I just want to ask if it is required in indexes.conf to specify the thawedPath? Thanks, Eddel

by Communicator in

Why are new events resulting from mvexpand picking up special characters when exporting to CSV and how to avoid this?

This is a strange one, I have a data source which has multiple values in two separate fields so I use the makemv and ...

by Path Finder in

Stricter search gives me more results...what?

I have a query that looks like this index=*ind* ((source=*src1.log field=NAME) OR (source=*src1.log field=STRING))...

by Path Finder in

Why is my props.conf configuration not parsing JBoss GC logs properly?

Hi guys, I'm trying to parse GC logs from JBoss which look like this: {Heap before GC invocations=1 (full 0): ...

by Explorer in

How do I send logs from a SSL VPN device to Splunk Heavy Forwarder?

I would like to configure a SSL VPN device to send the logs over to the Splunk Heavy Forwarder on udp/514. How do I c...

by Loves-to-Learn in

Why does Splunk sometimes insert the a blank line in forwarded log4net logs?

I have the following log punch by log4net DATE : 02-10-2015 05:06:37 URL : http://localhost/229/processTy...

by New Member in

Events being cut when Linecount > 206. How to increase this limit?

For a web service call, my event has a linecount=220. But when looking at the response in Splunk, it is cutting the e...

by SplunkTrust in

Universal Forwarder - Timezone by sourcetype not working?

Just starting out with Splunk recently, still using the free version for now. My Splunk head, indexer & deployment se...

by New Member in

How to set a correct line breaks in my props.conf

The first picture is my original logs The second picture is my logs in the splunk Now,we can see the ...

by Communicator in

Why SEDCMD configured in props.conf is working during Data Preview but not during SEARCH?

Hello, I have configured a SEDCMD in props.conf to remove a few unwanted lines of logs. During data preview, the S...

by Super Champion in

Can Splunk strptime() work with the date before 1970-01-01 in epoch format?

Sometime I have a timestamp like -633945600.000 in my data. I found a previous post where someone said Splunk only su...

by Explorer in

UF persistentQueue tcp,UF persistentQueueSize tcp://8088

We have an application that sends it's data to the UF on tcp port 8088. When the indexers are down we want the UF to ...

by Path Finder in

WMI not working on one system

I have installed the UF on 4 systems, but one is giving me the following error... 03-02-2012 10:46:33.860 -0500 ER...

by Contributor in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

What log4j ConversionPattern should I use to match splunk log4j sourcetype?

Asteriks and inputs.conf

How to send syslog data to a specific index based on a string in the log?

How do you request customer_identifier_all_forwarder_outputs.zip?

GUI not showing all field extractions from props.conf

How to troubleshoot why 1 of 2 files is no longer getting indexed after updating glibc and restarting our heavy forwarders using Splunk 5.0.11?

Event filtering is not working as expected... what's missing?

How to blacklist files in my data input where the filename has a .bin extension?

Splunk DB Connect: Why can't I get java bridge to run after configuring splunkd to use SSL with syntax copied from the release notes?

MultiLine Event- How to Ignore/Drop Specific Events

[RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log

How to use fields from different source types in the same search?

Is thawedPath in indexes.conf recommended?

Why are new events resulting from mvexpand picking up special characters when exporting to CSV and how to avoid this?

Stricter search gives me more results...what?

Why is my props.conf configuration not parsing JBoss GC logs properly?

How do I send logs from a SSL VPN device to Splunk Heavy Forwarder?

Why does Splunk sometimes insert the a blank line in forwarded log4net logs?

Events being cut when Linecount > 206. How to increase this limit?

Universal Forwarder - Timezone by sourcetype not working?

How to set a correct line breaks in my props.conf

Why SEDCMD configured in props.conf is working during Data Preview but not during SEARCH?

Can Splunk strptime() work with the date before 1970-01-01 in epoch format?

UF persistentQueue tcp,UF persistentQueueSize tcp://8088

WMI not working on one system

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?

CSAM Reports - 500 ERROR

JSON Data extraction issues with Comma