Getting Data In

Discussions

Thread Info

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing?

Hi all, I want the "date" field to be used as timestamp. However, in some of the events this field is missing and ...

by Engager in

Command-line syntax to deploy universal forwarder with SSL certificates?

Based on the documentation provided, the proper command-line arguments to be used when deploying certificates is CERT...

by Explorer in

How to remove sources from disk via CLI?

Hello, We’re looking to remove data from one of our indexes, preferably using the clean operator from the CLI. ...

by Explorer in

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?

I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows Connection to ...

by New Member in

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

I have unix timestamp in my data file . review/time: 1182816000 review/summary: Periwinkle... To parse this tim...

by New Member in

Error while Redirect 514 to 9997

Hi guys, I have a source that send log via syslog push tcp 514. The configuration is working well on my SPlunk tes...

by Path Finder in

What happens when distributed search is enabled and one of the indexers goes down?

Hello, I've read Splunk documentation on that matter but I'm not able to find my answer. Does anyone know how Splu...

by Explorer in

Is there a way to create an additional index based on a discovered field?

I went through the Exploring Splunk book which states that the data is indexed w.r.t. _time, host , source & sourceTy...

by Path Finder in

How to troubleshoot why 90 data data retention configuration is not being applied?

I want to freeze all data older than 90 days. My /opt/splunk/etc/system/local/indexes.conf file looks like this ...

by New Member in

How to configure data inputs to forward files from storage instead of local drives?

Hi, i want to forward files from the storage instead of from the local drives, what would be the solution? thks

by Path Finder in

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Hi , We have apache access logs generated in below format . access.log_2014.11.11 , access.log_2014.11.12 , acc...

by New Member in

Cant find data added through inputs.conf

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. ...

by Explorer in

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

Hi splunkers, Good day! I have a clustered setup of RF=3 and SF=3. I'm just curious, what if one of my indexers ne...

by Communicator in

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

According to Splunk's documentation for props.conf, the ANNOTATE_PUNCT setting "Determines whether to index a special...

by Explorer in

Unable to parse timestamp from xml tag

I am facing problem with timestamp from xml file entry. Following is the sample tag from xml file <row Id="82949"...

by Engager in

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

I have a ticket in with support but this may be faster. My intermediate forwarder is not working right. When I res...

by Motivator in

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

I followed the following steps while while upgrading from Splunk 6.1.4 to 6.2, but the Forwarder Inputs section under...

by Splunk Employee in

What are hardware recommendations for servers and indexers in our cluster setup?

Hi, Just a newbie here. Im planning to have a RF=3 SF=3 clustered setup with 5GB on a raid 10 a day volume running...

by Communicator in

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

Hi Splunkers, I have a strange problem with Microsoft TMG, Splunk can't find the time stamp on one particular eve...

by Path Finder in

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Hi there, We have a Windows Heavy Forwarder which gets Windows logs. We want to send these logs to an external Rsy...

by New Member in

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

Hi everybody, I need to set up a system monitor that collects logon and logout data from some Windows machines (serve...

by New Member in

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

I have seen somewhat similar issues on here, but none that meet my situation. I have a directory on a Windows serv...

by Communicator in

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

Hallo, I am in the need of anonymizing the second column in a tab-separated log file. I use the method described in ...

by Explorer in

search time field extractions using props for an Indexed field

Hello Experts, We have a field xyz which holds mac addresses. Problem is, some of the mac addresses are of xx:xx:xx:x...

by Motivator in

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

Hello, I'm having a hard time finding a way forwarding all the internal logs from my Deployment server to the Inde...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing?

Command-line syntax to deploy universal forwarder with SSL certificates?

How to remove sources from disk via CLI?

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

Error while Redirect 514 to 9997

What happens when distributed search is enabled and one of the indexers goes down?

Is there a way to create an additional index based on a discovered field?

How to troubleshoot why 90 data data retention configuration is not being applied?

How to configure data inputs to forward files from storage instead of local drives?

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Cant find data added through inputs.conf

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

Unable to parse timestamp from xml tag

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

What are hardware recommendations for servers and indexers in our cluster setup?

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

search time field extractions using props for an Indexed field

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

DB Connect SQL Procedures

Possible lineabreaker issue with lastlog in Splunk...

Splunk HF Stops Receiving Fortigate WAF Logs via S...

_TCP_ROUTING with clustered indexers system logs

JSON Data extraction issues with Comma