Getting Data In

Discussions

Thread Info

Cant find data added through inputs.conf

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. ...

by Explorer in

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

Hi splunkers, Good day! I have a clustered setup of RF=3 and SF=3. I'm just curious, what if one of my indexers ne...

by Communicator in

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

According to Splunk's documentation for props.conf, the ANNOTATE_PUNCT setting "Determines whether to index a special...

by Explorer in

Unable to parse timestamp from xml tag

I am facing problem with timestamp from xml file entry. Following is the sample tag from xml file <row Id="82949"...

by Engager in

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

I have a ticket in with support but this may be faster. My intermediate forwarder is not working right. When I res...

by Motivator in

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

I followed the following steps while while upgrading from Splunk 6.1.4 to 6.2, but the Forwarder Inputs section under...

by Splunk Employee in

What are hardware recommendations for servers and indexers in our cluster setup?

Hi, Just a newbie here. Im planning to have a RF=3 SF=3 clustered setup with 5GB on a raid 10 a day volume running...

by Communicator in

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

Hi Splunkers, I have a strange problem with Microsoft TMG, Splunk can't find the time stamp on one particular eve...

by Path Finder in

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Hi there, We have a Windows Heavy Forwarder which gets Windows logs. We want to send these logs to an external Rsy...

by New Member in

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

Hi everybody, I need to set up a system monitor that collects logon and logout data from some Windows machines (serve...

by New Member in

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

I have seen somewhat similar issues on here, but none that meet my situation. I have a directory on a Windows serv...

by Communicator in

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

Hallo, I am in the need of anonymizing the second column in a tab-separated log file. I use the method described in ...

by Explorer in

search time field extractions using props for an Indexed field

Hello Experts, We have a field xyz which holds mac addresses. Problem is, some of the mac addresses are of xx:xx:xx:x...

by Motivator in

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

Hello, I'm having a hard time finding a way forwarding all the internal logs from my Deployment server to the Inde...

by Path Finder in

NullQ output to a File?

Hi, I have applied NullQ and IndexQ filtering on my log files at Heavy Forwarder. But the client demands, we do no...

by Communicator in

I have a universal forwarder installed on a linux syslog server, have created an deployment app and see that it is deployed to the server, but the data is not showing up, any suggestions?

I have created an index called prod_syslog with four sourcetypes monitoring the below paths. I see this app is deploy...

by Explorer in

Why Linux search head does not pick up new search-time extractions or field aliases from Windows indexers' configuration?

I have a Linux server that forwards data (no local indexing) and also acts as a search head with two Windows search p...

by Explorer in

How to configure inputs.conf to apply crcsalt for only a few files under a directory/folder, not all of them?

I need to apply CRCsalt for only few file under dir/folder not all of them. Below is my current inputs.conf [monit...

by Path Finder in

How to split a value that is delimited lines inside of a delimited line

Here's a puzzler for you all. I have SharePoint search logs coming in. The results field has a value like this: 4#...

by Communicator in

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

I am trying to configure Splunk to index IIS failedrequests. My priority is To have Splunk indexing the Event- ta...

by Contributor in

Why splunkd or splunkweb services do not start after upgrade from Splunk 6.1.1 to 6.2 on Windows 2008 64bit??

Running windows 2008 64bit , simply wanted to upgrade as it was prompting me too and got annoying so I did now it's b...

by Explorer in

Getting logs for after hours access

Hello, I want to be able to get logs from Splunk for anyone who came in to the building between 7PM and 7AM the ne...

by Path Finder in

How to create a month over month, year over year report on web analytics metrics data from CSV files?

Hi folks! This is my first post here. I am new to Splunk although I have been intensively working with it for the las...

by New Member in

日時情報の抽出方法について

ログ内の日付と時刻が続けて表示されていない場合、どのように抽出すれば良いでしょうか。例えば、以下のように日時情報が030216の部分で、つまり、03時02分16秒となっていまして、日付情報が120814の部分で、つまり、12...

by Contributor in

What sourcetype should I set Cisco:asa switch data to and how to set two different sourcetypes for one UDP data input?

I have Splunk configured with UDP 514 as data input, with sourcetype cisco:asa (firewall) in the main index. However...

by Communicator in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Cant find data added through inputs.conf

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

Unable to parse timestamp from xml tag

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

What are hardware recommendations for servers and indexers in our cluster setup?

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

search time field extractions using props for an Indexed field

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

NullQ output to a File?

I have a universal forwarder installed on a linux syslog server, have created an deployment app and see that it is deployed to the server, but the data is not showing up, any suggestions?

Why Linux search head does not pick up new search-time extractions or field aliases from Windows indexers' configuration?

How to configure inputs.conf to apply crcsalt for only a few files under a directory/folder, not all of them?

How to split a value that is delimited lines inside of a delimited line

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

Why splunkd or splunkweb services do not start after upgrade from Splunk 6.1.1 to 6.2 on Windows 2008 64bit??

Getting logs for after hours access

How to create a month over month, year over year report on web analytics metrics data from CSV files?

日時情報の抽出方法について

What sourcetype should I set Cisco:asa switch data to and how to set two different sourcetypes for one UDP data input?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions