Getting Data In

Discussions

Thread Info

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Window...

by Contributor in

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

If I'm monitoring a very large logfile [monitor:///home/me/logs] whitelist = (myApp)\.log$ /home/me/logs/myApp.lo...

by Contributor in

Is it possible to have your sourcetype be determined at index-time based on host?

Title pretty self explanatory. The files that I am indexing are having their host be determined by the directory in w...

by Explorer in

How to configure the retention policy for an index to delete data that is one hour old?

Hi, We have an index, and for every half an hour, it's indexing with 350,000 of events. After every ONE Hour, the ...

by Path Finder in

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

Hello all - hoping this isn't too difficult. I am looking to export the IP addresses of all hosts logging to a sp...

by New Member in

After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

Hello I upgraded to a 6.3.1 Splunk forwarder on a Windows 2012 server. Connectivity is fine and Security logs are ...

by New Member in

What are best practices for setting up the retention policy for our indexer buckets?

We have about a 3 TB/day ingest rate, spread across about 20 indexes, and we have a 2 to 5 year retention time depend...

by Path Finder in

Why are events with timestamps being grouped together in one event?

We see some events with timestamps clubbed together in one event. Changing the props.conf did not help to resolve the...

by Communicator in

Server and Web Browser are in another time zone from display on Citrix Xenapp client and timeline time zone is wrong no matter what the account timezone is set to

There is (was?) SPL-46852 If you change the time zone of the current Splunk Web user to be different from the serv...

by Engager in

How do I configure Splunk to prevent 3 separate events from being merged as a single event?

When I search on one of the indexes, I get the data in a single event. It should be three separate events. How can we...

by Communicator in

How to verify IP addresses from 1 index to IPs of another index to resolve hostnames?

Hello I was hoping to find some help regarding a 2 indexes we log in Splunk. We use BlueCoat logs to log all the T...

by New Member in

Is it possible to collect Windows event logs from a NAS server (Public folder) without a universal forwarder?

Dear guys, Is it possible to gather Windows event logs to indexer server by way of NAS Server which were transferr...

by New Member in

Upgrading Splunk on Windows 2008 R2, how can I uninstall the universal forwarder if a control panel option is not available?

Hi, I am trying to upgrade Splunk version on Windows 2008 R2. Can you suggest me any way to uninstall Splunk unive...

by New Member in

How can I send logs using forwarded to Splunk at the fastest speed possible?

Hello, I have a Linux box which has 10 Gb interface. Is there any way, I can send logs without throttling them at ...

by Explorer in

Why are we seeing high memory usage with a Splunk 6.2.3 forwarder installed on a Windows server?

We are currently having an issue with Splunk forwarder installed on a Windows server. It takes up a lot of memory uti...

by New Member in

Filter events and use SEDCMD?

I am trying to filter events and then apply a sed script to only the events that I want to keep. I want to discard al...

by Builder in

How to show a deployed index in Splunk Web on a search head to add data?

Hi, We are using a Splunk Enterprise installation that uses the following: 1 search head, also acts as a deploymen...

by Path Finder in

Is there a simple matrix for estimating the number of cores necessary for a certain amount of indexing speed?

Hi I am needing information for sizing of necessary CPU cores for indexer. In capacity planning doc, indexing will...

by Splunk Employee in

How to delete existing indexed events?

Hi, I saw multiple junk Windows security events filling up my disk space. I now filtered unnecessary events. How ...

by Explorer in

How do I filter out some Windows events at Search Head/Indexer (RHEL 6 install) Splunk 6.3.1?

New Splunk server, initial tuning period. Working on tuning and filtering. Server shows two event types as most frequ...

by New Member in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Is it possible to have your sourcetype be determined at index-time based on host?

How to configure the retention policy for an index to delete data that is one hour old?

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

After upgrading our Windows Splunk forwarder from Splunk 6.1.2 to 6.3.1, why are application and system logs not being sent?

What are best practices for setting up the retention policy for our indexer buckets?

Why are events with timestamps being grouped together in one event?

Server and Web Browser are in another time zone from display on Citrix Xenapp client and timeline time zone is wrong no matter what the account timezone is set to

How do I configure Splunk to prevent 3 separate events from being merged as a single event?

How to verify IP addresses from 1 index to IPs of another index to resolve hostnames?

Is it possible to collect Windows event logs from a NAS server (Public folder) without a universal forwarder?

Upgrading Splunk on Windows 2008 R2, how can I uninstall the universal forwarder if a control panel option is not available?

How can I send logs using forwarded to Splunk at the fastest speed possible?

Why are we seeing high memory usage with a Splunk 6.2.3 forwarder installed on a Windows server?

Filter events and use SEDCMD?

How to show a deployed index in Splunk Web on a search head to add data?

Is there a simple matrix for estimating the number of cores necessary for a certain amount of indexing speed?

How to delete existing indexed events?

How do I filter out some Windows events at Search Head/Indexer (RHEL 6 install) Splunk 6.3.1?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Why are AWX and HEC not working?

Why are source/host/sourcetype fields dropping thr...

How do I get Windows server cipher data into Splun...

Splunk Add on for Microsoft Azure Secure Score- Ho...

Receiving error that “could not load lookup xxx” w...