Getting Data In

Ask a Question

Discussions

Thread Info

How to troubleshoot why 90 data data retention configuration is not being applied?

I want to freeze all data older than 90 days. My /opt/splunk/etc/system/local/indexes.conf file looks like this ...

by New Member in

How to configure data inputs to forward files from storage instead of local drives?

Hi, i want to forward files from the storage instead of from the local drives, what would be the solution? thks

by Path Finder in

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Hi , We have apache access logs generated in below format . access.log_2014.11.11 , access.log_2014.11.12 , acc...

by New Member in

Cant find data added through inputs.conf

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. ...

by Explorer in

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

Hi splunkers, Good day! I have a clustered setup of RF=3 and SF=3. I'm just curious, what if one of my indexers ne...

by Communicator in

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

According to Splunk's documentation for props.conf, the ANNOTATE_PUNCT setting "Determines whether to index a special...

by Explorer in

Unable to parse timestamp from xml tag

I am facing problem with timestamp from xml file entry. Following is the sample tag from xml file <row Id="82949"...

by Engager in

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

I have a ticket in with support but this may be faster. My intermediate forwarder is not working right. When I res...

by Motivator in

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

I followed the following steps while while upgrading from Splunk 6.1.4 to 6.2, but the Forwarder Inputs section under...

by Splunk Employee in

What are hardware recommendations for servers and indexers in our cluster setup?

Hi, Just a newbie here. Im planning to have a RF=3 SF=3 clustered setup with 5GB on a raid 10 a day volume running...

by Communicator in

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

Hi Splunkers, I have a strange problem with Microsoft TMG, Splunk can't find the time stamp on one particular eve...

by Path Finder in

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Hi there, We have a Windows Heavy Forwarder which gets Windows logs. We want to send these logs to an external Rsy...

by New Member in

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

Hi everybody, I need to set up a system monitor that collects logon and logout data from some Windows machines (serve...

by New Member in

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

I have seen somewhat similar issues on here, but none that meet my situation. I have a directory on a Windows serv...

by Communicator in

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

Hallo, I am in the need of anonymizing the second column in a tab-separated log file. I use the method described in ...

by Explorer in

search time field extractions using props for an Indexed field

Hello Experts, We have a field xyz which holds mac addresses. Problem is, some of the mac addresses are of xx:xx:xx:x...

by Motivator in

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

Hello, I'm having a hard time finding a way forwarding all the internal logs from my Deployment server to the Inde...

by Path Finder in

NullQ output to a File?

Hi, I have applied NullQ and IndexQ filtering on my log files at Heavy Forwarder. But the client demands, we do no...

by Communicator in

I have a universal forwarder installed on a linux syslog server, have created an deployment app and see that it is deployed to the server, but the data is not showing up, any suggestions?

I have created an index called prod_syslog with four sourcetypes monitoring the below paths. I see this app is deploy...

by Explorer in

Why Linux search head does not pick up new search-time extractions or field aliases from Windows indexers' configuration?

I have a Linux server that forwards data (no local indexing) and also acts as a search head with two Windows search p...

by Explorer in

How to configure inputs.conf to apply crcsalt for only a few files under a directory/folder, not all of them?

I need to apply CRCsalt for only few file under dir/folder not all of them. Below is my current inputs.conf [monit...

by Path Finder in

How to split a value that is delimited lines inside of a delimited line

Here's a puzzler for you all. I have SharePoint search logs coming in. The results field has a value like this: 4#...

by Communicator in

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

I am trying to configure Splunk to index IIS failedrequests. My priority is To have Splunk indexing the Event- ta...

by Contributor in

Why splunkd or splunkweb services do not start after upgrade from Splunk 6.1.1 to 6.2 on Windows 2008 64bit??

Running windows 2008 64bit , simply wanted to upgrade as it was prompting me too and got annoying so I did now it's b...

by Explorer in

Getting logs for after hours access

Hello, I want to be able to get logs from Splunk for anyone who came in to the building between 7PM and 7AM the ne...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to troubleshoot why 90 data data retention configuration is not being applied?

How to configure data inputs to forward files from storage instead of local drives?

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Cant find data added through inputs.conf

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

Unable to parse timestamp from xml tag

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

What are hardware recommendations for servers and indexers in our cluster setup?

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

search time field extractions using props for an Indexed field

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

NullQ output to a File?

I have a universal forwarder installed on a linux syslog server, have created an deployment app and see that it is deployed to the server, but the data is not showing up, any suggestions?

Why Linux search head does not pick up new search-time extractions or field aliases from Windows indexers' configuration?

How to configure inputs.conf to apply crcsalt for only a few files under a directory/folder, not all of them?

How to split a value that is delimited lines inside of a delimited line

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

Why splunkd or splunkweb services do not start after upgrade from Splunk 6.1.1 to 6.2 on Windows 2008 64bit??

Getting logs for after hours access

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

DNS logs - INFO [:12345] Script exceeded maximum r...

Onboard Unknown Source to SC4S

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Getting Data In

Are you a member of the Splunk Community?

Discussions