Getting Data In

Discussions

Thread Info

How to configure props.conf for two different log types: bluecoat and bluecoat_sg?

I have a two different props.conf stanzas for two different log types (i.e., bluecoat and bluecoat_proxysg). What is ...

by Explorer in

How to modify roles for an LDAP group with the REST API?

Hi guys, Sorry to bother you these days, but it's not so easy work with the REST API without some examples. Now I...

by Communicator in

Sonicwall 4060 logs

I'd like to use the SYSLOG feature in the Sonicwall 4060 to send the logs to SPLUNK automatically .. currently I'm du...

by New Member in

Is there a Splunk Segment setting for sourcetype, similar to host_segment=x in inputs.conf?

Splunk 6.3 I am looking at the feature host_segment=x in inputs.conf. And wondering if there is a similar feature ...

by Builder in

Timestamp lookahead questions

Hi I have the following configuration: timestamp format : %c timestamp prefix: Start\sTime:\s+ lookahead: ??? I...

by Builder in

Spotting when a file has been finished indexing?

I have a monitor input, which rarely has new files, and I'd like set up an alert for it. How can I find something abo...

by Communicator in

Is there a limit on json arrays?

Hi, I import a json-file with a json-object that contains an array with another 50 json-objects. It looks like, that ...

by Path Finder in

How can I debug a TCP feed on a heavy forwarder?

Hi, I need to debug a tcp feed from a load-balancer, on a server where I don't have root or sudo. Is there a props...

by Champion in

Is it better to have Universal Forwarders on each server, or collect logs first in one place, and then forward them to the indexers?

What would be the better solution: deploying Universal Forwarders to each server in the environment or collecting log...

by Contributor in

How to create an alert to trigger an email when a forwarder is stopped on a server?

We have a report which helps us to trigger an alert when the Indexer is down. Is there a way we can monitor if the fo...

by Communicator in

How to filter out a Windows Event Code if the event from a user repeats over a period of time?

I want to capture Windows Event Logs EventCode 4673 when it happens once for each user over a period of one hour. If ...

by Motivator in

Sending rsyslog JSON format

Hello, I have tried today to integrate Splunk with Rsyslog that Contains JSON. The issue is that rsyslog is sendin...

by Engager in

Time format for identifying processing rate

I am trying to get some details from my event text which has the record count and also the processing time. I want to...

by New Member in

On a Linux Splunk Server, how do I ingest Windows CIFS audit files

I have adtlog.evt files I wish to look at from Splunk. How do I do this without using a Windows Splunk server? (I do ...

by Engager in

Monitor input not reading files ?

I'm facing an issue with a monitor input like this: index=myindex disabled=0 sourcetype=mysourcetype crcSalt=salt ...

by Communicator in

splunk-reskit-powershell 401

I'm using splunk-reskit-powershell to access splunk, but running "Connect-Splunk -Credentials $credentials -ComputerN...

by Engager in

Can I call more than one transform from a props.conf stanza?

[tomcat-logs] TRANSFORMS-null = setnullping TRANSFORMS-rename_source = source_clean-YYYY-MM-DD Is that a legitimat...

by Motivator in

Getting additional disk space for a fast growing index. What's next?

We have a fast growing index which now has filled 94% of the available space. Our system administrators gave us a new...

by Builder in

How to Not apply cluster-bundle

Hi, i am installing two new indexers for test, as test indexers they have very small disks. As clustermember ...

by Path Finder in

Drop specific event

Hi I have a log that we are indexing, now we want to drop specific events from it by sending it to the nullQueue....

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to configure props.conf for two different log types: bluecoat and bluecoat_sg?

How to modify roles for an LDAP group with the REST API?

Sonicwall 4060 logs

Is there a Splunk Segment setting for sourcetype, similar to host_segment=x in inputs.conf?

Timestamp lookahead questions

Spotting when a file has been finished indexing?

Is there a limit on json arrays?

How can I debug a TCP feed on a heavy forwarder?

Is it better to have Universal Forwarders on each server, or collect logs first in one place, and then forward them to the indexers?

How to create an alert to trigger an email when a forwarder is stopped on a server?

How to filter out a Windows Event Code if the event from a user repeats over a period of time?

Sending rsyslog JSON format

Time format for identifying processing rate

On a Linux Splunk Server, how do I ingest Windows CIFS audit files

Monitor input not reading files ?

splunk-reskit-powershell 401

Can I call more than one transform from a props.conf stanza?

Getting additional disk space for a fast growing index. What's next?

How to Not apply cluster-bundle

Drop specific event

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Do we have a Splunk script that will tell us the t...

Documentation for AWS app for S3

Why are Splunk some logs missing from kiwi syslog?

Get Blob Data W/O Key or SAS Token (use service ac...

Splunk Ingest Actions - Using Eval Expression Synt...