Getting Data In

Discussions

Thread Info

Wrong Timestamp of CSV

I've a csv file containing thousands of events, each event is only single line with date time stamp and several other...

by New Member in

splunk not parsing txt file from forwarder correctly

Hi, One of my forwarders is monitoring a directory where timestamped files populate every five minutes. The text o...

by Communicator in

Heavy Forwarder sending incorrect Host

We have a heavy forwarder set up on our log server. It is sending to rsyslog and then forwarding to the indexer. ...

by New Member in

What is wrong with my inputs.conf eventcode blacklist?

I have setup the following inputs.conf stanza : [WinEventLog://Security]  disabled=0  current_only=1  blacklist1=...

by Splunk Employee in

How to assign syslog file to specific index based on file name in transforms.conf?

Can you please provide sample configuration for the below, We have multiple forwarding sources and they are using sys...

by Builder in

Split ip and port into two fields using delims

I would like to split a field called "destination" and "original_source" into 2 fields, each is an ip:port or [ipv6]:...

by Motivator in

How do I deal w. single digit months/days in vix.input.1.et.regex?

I have directory paths that look like /year=2014/month=6/day=4/hour=1/ However, using the following regex is s...

by Path Finder in

How do I specify Ctrl-A (\x01) as a field delimiter in props.conf?

How do I specify Ctrl-A (\u0001) as a field delimiter in props.conf? I tried [xxx] FIELD_DELIMITER=\x01 [xxx] ...

by Path Finder in

Struggling to get Splunk 6.0.1 to index EPOCH time for all events

I'm struggling to get my Splunk 6.0.1 to recognise an epoch time for all events. I have specified a timestamp format ...

by Explorer in

Format Splunk Output - How to add a title line in CSV output?

Hi, I am generating a report using data from database. I have a tabular format in my CSV. Is it possible via Splun...

by New Member in

Can I have different timestamp formats using the same sourcetype?

Indexing a lot of SystemOut.log files from WebSphere I realize that all almost all log files uses the following time ...

by Contributor in

How to change auto configuration of universal forwarder?

Hi all, I was assigned to push a fix on forwarders since they are forwarding data with auto-naming on index and sourc...

by Communicator in

How to prevent sensitive key-value pair in IIS cookie data from appearing in Splunk?

Hi, I'm wondering if there is a way to prevent a sensitive key-value pair that exists in cs_Cookie from appearing ...

by Explorer in

Help with fields named EXTRA_FIELD_XX

I have a lot of fields called EXTRA_FIELD_X and I am not sure why. I have not been able to find anything on Answers o...

by Path Finder in

Has anyone installed a universal forwarder 6.1.2 on Windows OS 2008 and experienced problems?

Hi, I have Splunk 5.0.5 installed on a Windows OS 2012 I have a windows 2008 64-bit with splunkforwarder-6.1.2-...

by New Member in

Error with blacklisting 4662 events in inputs.conf

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log ht...

by Motivator in

How to migrate Splunk Server from version 4.2.1 on Windows 2003 32 bit to version 6.1.2 on windows 2012 64 bit?

Hi, I'm about to migrate whole splunk server from v. 4.2.1 on Windows 2003 32 bit to v.6.1.2 on Windows 2012 64 bi...

by Explorer in

Where is the Splunk logrotate file located?

Our shop has four indexers with limited storage. This is due to the fact that we wanted fast disk for quicker searchi...

by Builder in

How to get two universal forwarders running from one Linux box?

Hello, Please could anyone advice me, how I can get two instance of Universal forwarders run from one Linux Box? I...

by Explorer in

How to get Windows logs into my Splunk instance on Ubuntu?

Hello, My organization is looking into using Splunk as a central log server. I have successfully installed Splunk ...

by New Member in

When should I use Report or Transform on props.conf?

When should I use Report and when should I use Transform on the props.conf?

by Path Finder in

How to set host in inputs.conf?

I'm getting data in syslog format with the host set to localhost. I know what server this is coming from but don't ha...

by New Member in

how - metadata host by index and sourcetype recentTime

This search produces the most recent timestamp for every host for aa specific index | metadata type=hosts ind...

by Path Finder in

How to use inputlookup with csv file to import two multi value fields in a search?

Hello, I try to use inputlookup with a csv file to import two multi value fields in a search. The two fields are both...

by Communicator in

No Wineventlogs With Universal Forwarder 6.1.2 on Windows Server 2008 R2

I recently installed the newest UF on a server to test before rolling out to the rest of the environment. I am able t...

by Builder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Wrong Timestamp of CSV

splunk not parsing txt file from forwarder correctly

Heavy Forwarder sending incorrect Host

What is wrong with my inputs.conf eventcode blacklist?

How to assign syslog file to specific index based on file name in transforms.conf?

Split ip and port into two fields using delims

How do I deal w. single digit months/days in vix.input.1.et.regex?

How do I specify Ctrl-A (\x01) as a field delimiter in props.conf?

Struggling to get Splunk 6.0.1 to index EPOCH time for all events

Format Splunk Output - How to add a title line in CSV output?

Can I have different timestamp formats using the same sourcetype?

How to change auto configuration of universal forwarder?

How to prevent sensitive key-value pair in IIS cookie data from appearing in Splunk?

Help with fields named EXTRA_FIELD_XX

Has anyone installed a universal forwarder 6.1.2 on Windows OS 2008 and experienced problems?

Error with blacklisting 4662 events in inputs.conf

How to migrate Splunk Server from version 4.2.1 on Windows 2003 32 bit to version 6.1.2 on windows 2012 64 bit?

Where is the Splunk logrotate file located?

How to get two universal forwarders running from one Linux box?

How to get Windows logs into my Splunk instance on Ubuntu?

When should I use Report or Transform on props.conf?

How to set host in inputs.conf?

how - metadata host by index and sourcetype recentTime

How to use inputlookup with csv file to import two multi value fields in a search?

No Wineventlogs With Universal Forwarder 6.1.2 on Windows Server 2008 R2

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Extracting wineventlog from Azure EventHub Windows...

Missed data from SOPHOS

[Cohesity Add-on] Extension with “Protection Runs”...

Splunk VMware OVA for ITSI vs Splunk OVA for VMwar...

How to Execute a Python Script via a Button and Di...