Getting Data In

Thread Info

Recommended load balancer for indexer

Hi splunkers, I just want to ask for any recommended or even tested loadbalancer upon forwarding logs to 3 indexer...

by Communicator in

Is there any ways to limit network traffic between Search Head and Peers ?

Hi Splunkers, I know about we are able to limit network traffic between Peer （a.k.a. Indexer ）and Universal Forwa...

by Contributor in

How to troubleshoot error on Splunk 6 universal forwarder "TcpOutputProc - Forwarding to indexer group GSOC blocked for 9500 seconds."?

how to fix this error , "WARN TcpOutputProc - Forwarding to indexer group GSOC blocked for 9500 seconds". I cant rece...

by Path Finder in

Is it possible to send Fortigate logs to multiple indexers via forwarders?

Hi, Good day splunkers. Is it the possible to forward Fortigate logs to multiple indexers via forwarders?, I alrea...

by Communicator in

Access Control: Is it possible to create views based on index name and/or sourcetype that we can set permissions for individually?

Hi all, I've got a new set of logs from one of our development teams for some in-house applications. They have wri...

by Super Champion in

How to configure props.conf to filter out events with CTRL-M (^M)?

Hi, It seems log file contains CTRL-M character will cause duplicate parsing in splunk indexer so I would like to fil...

by Builder in

How to monitor and report the amount of data indexed per host?

How can I use Splunk to tell me how much data per day each host is forwarding to Splunk? Basically, I need a report t...

by Communicator in

Conf files — splitting long lines

I am trying to split some really long lines we have put in our .conf files using the traditional Unix way of escaping...

by Explorer in

Why am I getting "ERROR TcpInputProc - Received unexpected 1380997408 byte message" forwarding my fortigate logs to Splunk?

Hi, I'm just new with splunk. I'm getting this error upon forwarding my fortigate logs to splunk. How can I set sp...

by Communicator in

Does splunk store the datetime each specific event was indexed ?

Sometimes, when troubleshooting inputs on large installations (deployment apps, several layers of forwarders, etc), i...

by Path Finder in

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing?

Hi all, I want the "date" field to be used as timestamp. However, in some of the events this field is missing and ...

by Engager in

Command-line syntax to deploy universal forwarder with SSL certificates?

Based on the documentation provided, the proper command-line arguments to be used when deploying certificates is CERT...

by Explorer in

How to remove sources from disk via CLI?

Hello, We’re looking to remove data from one of our indexes, preferably using the clean operator from the CLI. ...

by Explorer in

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?

I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows Connection to ...

by New Member in

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

I have unix timestamp in my data file . review/time: 1182816000 review/summary: Periwinkle... To parse this tim...

by New Member in

Error while Redirect 514 to 9997

Hi guys, I have a source that send log via syslog push tcp 514. The configuration is working well on my SPlunk tes...

by Path Finder in

What happens when distributed search is enabled and one of the indexers goes down?

Hello, I've read Splunk documentation on that matter but I'm not able to find my answer. Does anyone know how Splu...

by Explorer in

Is there a way to create an additional index based on a discovered field?

I went through the Exploring Splunk book which states that the data is indexed w.r.t. _time, host , source & sourceTy...

by Path Finder in

How to troubleshoot why 90 data data retention configuration is not being applied?

I want to freeze all data older than 90 days. My /opt/splunk/etc/system/local/indexes.conf file looks like this ...

by New Member in

How to configure data inputs to forward files from storage instead of local drives?

Hi, i want to forward files from the storage instead of from the local drives, what would be the solution? thks

by Path Finder in

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Hi , We have apache access logs generated in below format . access.log_2014.11.11 , access.log_2014.11.12 , acc...

by New Member in

Cant find data added through inputs.conf

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. ...

by Explorer in

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

Hi splunkers, Good day! I have a clustered setup of RF=3 and SF=3. I'm just curious, what if one of my indexers ne...

by Communicator in

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

According to Splunk's documentation for props.conf, the ANNOTATE_PUNCT setting "Determines whether to index a special...

by Explorer in

Unable to parse timestamp from xml tag

I am facing problem with timestamp from xml file entry. Following is the sample tag from xml file <row Id="82949"...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Recommended load balancer for indexer

Is there any ways to limit network traffic between Search Head and Peers ?

How to troubleshoot error on Splunk 6 universal forwarder "TcpOutputProc - Forwarding to indexer group GSOC blocked for 9500 seconds."?

Is it possible to send Fortigate logs to multiple indexers via forwarders?

Access Control: Is it possible to create views based on index name and/or sourcetype that we can set permissions for individually?

How to configure props.conf to filter out events with CTRL-M (^M)?

How to monitor and report the amount of data indexed per host?

Conf files — splitting long lines

Why am I getting "ERROR TcpInputProc - Received unexpected 1380997408 byte message" forwarding my fortigate logs to Splunk?

Does splunk store the datetime each specific event was indexed ?

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing?

Command-line syntax to deploy universal forwarder with SSL certificates?

How to remove sources from disk via CLI?

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

Error while Redirect 514 to 9997

What happens when distributed search is enabled and one of the indexers goes down?

Is there a way to create an additional index based on a discovered field?

How to troubleshoot why 90 data data retention configuration is not being applied?

How to configure data inputs to forward files from storage instead of local drives?

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Cant find data added through inputs.conf

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

Unable to parse timestamp from xml tag

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

Getting Data In

Are you a member of the Splunk Community?

Discussions