Getting Data In

Thread Info

Is it possible to configure a forwarder to run a Powershell script to collect data at a certain time rather than setting an interval?

In Inputs.conf you can set an interval that a powershell script runs to collect data... but can you somehow set the f...

by Explorer in

How do you filter windows event log?

Hi, when I do the filtering windows log, I use the main program 6.1.4 then changed forwarder license, so Windows AD (...

by Path Finder in

Why am I getting unexpected behavior specifying files as data inputs versus directories?

I am not getting expected behavior when specifying inputs. All my logs are in a folder called "/syslog/" 1.3M -...

by Explorer in

Define python binary for universal forwarder 5.0.5?

I'm working in an environment where we have the universal forwarder (5.0.5 - old I know) installed on all our systems...

by Explorer in

Why does Splunk forwarder not report on any default monitored directories?

I noticed that a new install of splunkforwarder automatically monitors the following directories: Monitored Direct...

by Path Finder in

Non-matching timestamps and wrong breaks on timestamp

I have a log file with a timestamp at the beginning of an event in the format YYYY-MM-DD HH:MM:SS.mmm. The automatic ...

by Path Finder in

What happens when a log file gets renamed and later compressed?

Hi, I've looked though similar questions about log rotation and also the most related documentation topic here htt...

by Path Finder in

"DateParserVerbose - Failed to parse timestamp" Error: Can TIME_FORMAT accept multiple formats?

I am getting these errors, even though i think i have the timestamp parsed correctly based on other splunk answers. ...

by Contributor in

How to convert time format of 2014-10-22 15:32:00 to 10/22/2014 15:32:00

by New Member in

Can SSL configuration be applied on Splunk Universal Forwarders?

Can SSL configuration be applied on Splunk Universal Forwarders? My understanding is that it was only available on Sp...

by Motivator in

Why is my auditd log data not appearing in Splunk and don't see any errors in splunkd.log on forwarder or indexers?

I've set up forwarding many times, but for some reason cannot get my auditd log to properly appear in Splunk. I'm ban...

by Explorer in

How to convert time format of 20090930 to 30-Sep-2009?

I want to get the time in this format 2009-Sep-30 from 20090930

by Contributor in

How to configure inputs.conf to setup two separate monitoring rules?

I have these 2 group: [monitor:///pack/jboss/server/edu01_*/logs/server.log] sourcetype = server_log index = myind...

by New Member in

How to forward data from one Splunk indexer to another indexer?

I have created an outputs.conf on my Indexer. With the following stanza. [output] defaultGroup = indexerB [indexA...

by Communicator in

How to configure props.conf for Splunk to recognize all timestamps in these logs?

Splunk is not recognizing the timestamps in these logs. Some are picked up but others are grouped together into a sin...

by Path Finder in

How to configure a heavy forwarder to filter out data before sending logs to the indexer?

Hi, I like to filter out "%ASA-4-106023" before sending log to splunk indexer, Below are my config: inputs.conf [m...

by Engager in

How to troubleshoot why events of the same sourcetype are being indexed in two indexes?

I have Splunk Universal Forwarders installed on my Windows Domain Controllers. Up until 5 weeks ago, sourcetype=Activ...

by Explorer in

Performance Tuning Suggestions for TCP Syslog Running on Server 2012

I know this is not a Splunk specific question, however I have asked a similar question in the past about tuning for U...

by Builder in

Can an input be enabled or disabled based on another input?

I have a dashboard containing a checkbox with some values. These values are OR'd together in my search string. For ex...

by Explorer in

tcp and persistent queues

After reading this and this I'm not sure about the use of persistent queues on Splunk. In particular, in one impl...

by Communicator in

Universal Forwarder Not Monitoring Directory

I am having issues setting up a UNIX universal forwarder to monitor IBM IHS http log files -- it does not appear to b...

by Explorer in

How to configure LINE_BREAKER to split a multiline event?

alt textI have a log file that writes everything in one line. I'm try to count the number of events in the logfile bu...

by Path Finder in

Does anyone have a good search to help track and report the weekly upgrade progress for universal forwarder agents?

I was wondering if anyone has a good search that can help track the weekly upgrade progress for UF agents? With the d...

by Contributor in

how to avoid duplicate data when a file is created with the same name which was delete earlier.

Hi, I see duplicate data getting ingested when a file which was already ingested is being recreated upon a system ...

by New Member in

Leveraging spath with arbitrary JSON fields

I have a datasource that looks like this: { "results": { "serverone": { "time": 2, "results":...

by Splunk Employee in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Is it possible to configure a forwarder to run a Powershell script to collect data at a certain time rather than setting an interval?

How do you filter windows event log?

Why am I getting unexpected behavior specifying files as data inputs versus directories?

Define python binary for universal forwarder 5.0.5?

Why does Splunk forwarder not report on any default monitored directories?

Non-matching timestamps and wrong breaks on timestamp

What happens when a log file gets renamed and later compressed?

"DateParserVerbose - Failed to parse timestamp" Error: Can TIME_FORMAT accept multiple formats?

How to convert time format of 2014-10-22 15:32:00 to 10/22/2014 15:32:00

Can SSL configuration be applied on Splunk Universal Forwarders?

Why is my auditd log data not appearing in Splunk and don't see any errors in splunkd.log on forwarder or indexers?

How to convert time format of 20090930 to 30-Sep-2009?

How to configure inputs.conf to setup two separate monitoring rules?

How to forward data from one Splunk indexer to another indexer?

How to configure props.conf for Splunk to recognize all timestamps in these logs?

How to configure a heavy forwarder to filter out data before sending logs to the indexer?

How to troubleshoot why events of the same sourcetype are being indexed in two indexes?

Performance Tuning Suggestions for TCP Syslog Running on Server 2012

Can an input be enabled or disabled based on another input?

tcp and persistent queues

Universal Forwarder Not Monitoring Directory

How to configure LINE_BREAKER to split a multiline event?

Does anyone have a good search to help track and report the weekly upgrade progress for universal forwarder agents?

how to avoid duplicate data when a file is created with the same name which was delete earlier.

Leveraging spath with arbitrary JSON fields

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions