Getting Data In

Ask a Question

Discussions

Thread Info

Why did our heavy forwarder start indexing locally and how to disable this?

Hello All I have a new environment where we have a bunch of nix webservers in a DMZ. We installed universal forwar...

by Contributor in

Do Splunk inputs dedicated to universal forwarders need reverse DNS configured?

We have around 230 PCs servers spelunking to a single splunk server across a firewall. Many of these clients are n...

by Engager in

How to configure props.conf to remove any line NOT containing a certain string?

Hi. All I want is the props.conf equivalent of this delete action from sed: '/pattern/!d' That is it... ju...

by Path Finder in

list host, source by forwarder

How do i get a list comprising the fields host, source for each forwarder. Background: the admins of the machines ...

by SplunkTrust in

Questions about user-seed.conf

I have few questions regarding to user-seed.conf http://docs.splunk.com/Documentation/Splunk/latest/Admin/User-seedco...

by Communicator in

How to store lots of metadata that would be the same for each event?

We measure 50 values every 5 seconds during each hour long experiment. We do these experiments many times under diffe...

by New Member in

How to configure parameter for TailingProcessor to automatically retry reading a file after failing?

It took a while to copy the large logfile over the slow network, and it looks like the TailingProcessor gave up after...

by Path Finder in

What's the trick to get unarchive_cmd to work for a custom archive format?

I've been attempting to get the unarchive_cmd to work with no success. I decided to abandon my ultimate goal for the ...

by Super Champion in

How to change IDS logs to JSON format and index in Splunk?

Hi, I trying to index ids logs into splunk server however the log is not in good format. How can i reformat the log i...

by Engager in

Do I need to create a transforms.conf file in addition to props.conf to disable truncate for a specific sourcetype?

I have created a props.conf file to allow for logging an event of 16,000 characters. If I am reading the documentatio...

by New Member in

How to override the sourcetype of events within the same source based on the event format?

I'm trying to override the sourcetype of events within the same source (for now, a file uploaded once and indexed - o...

by Explorer in

How to fix perfmon errors "Object specified...in conf file is not valid"?

how to fix this error: ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-per...

by Explorer in

Is it possible to run a 6.1.3 universal forwarder with an AIX 5.3?

Hello, I'm wondering if is possible to run the universal forwarder with an AIX 5.3. The download page says that on...

by Explorer in

Is there a way to send data to Splunk over SSL from a third-party device without using a forwarder?

I'm trying to get Splunk to accept communication from a third-party device over SSL. The documentation is oriented to...

by Communicator in

Splunk SDK: Is there a way to set the time of an event created from Submit?

I'm currently in the process of sending data to the Splunk server through the C# SDK. The time for every event sen...

by Path Finder in

Splunk Universal Forwarder stopped working

On one of our Universal Forwarders the splunkd service stopped running. I was able to restart it and it is now workin...

by Contributor in

Interpreting errors after deleting Splunk log files

I'm reinstalling some UFs in my VM network. I'm using a suggestion posted in http://answers.splunk.com/answers/86950/...

by Explorer in

Firewall indexing latency: How to track when syslog is read by file monitor when the log is seen in search GUI?

I can find the latency for firewall log indexing like this index=Firewall | eval diff_sec=(_indextime - _time)| wh...

by Motivator in

Is it possible to modify a log that has already been indexed?

Hi? Is it possible to modify a record that has already been indexed? Or failing that, delete it and write another wi...

by Contributor in

props.conf time_format appears to be ignored even though data preview works correctly

Hello, I've been banging my head against a wall trying to figure out this problem and haven't been able to make any p...

by Engager in

Splunk 5 as VM and using Nimble Storage for shared storage

Hello everyone, Does anyone use or know anyone using Splunk 5 in this topology: 2 Splunk indexers (clustered & rep...

by Path Finder in

Is it possible to manage all saved searches in a custom app?

https://localhost/8089/servicesNS/-/search/saved/searches Is this possible, manage all saved searches displayed in...

by Builder in

Question about sourcetypes and use of 'collect' command.

We've got a .csv file that we are trying to load into an existing index and an existing sourcetype by using the 'coll...

by Explorer in

How can I calculate Max index size to meet data retention needs?

Hi, I need to keep about 6 months of searchable data in the splunk environment which i am working with. The ave...

by Engager in

fschange not working

Dear All, I am need to monitor a folder in which which all file are getting generated and which all the files get ...

by Contributor in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why did our heavy forwarder start indexing locally and how to disable this?

Do Splunk inputs dedicated to universal forwarders need reverse DNS configured?

How to configure props.conf to remove any line NOT containing a certain string?

list host, source by forwarder

Questions about user-seed.conf

How to store lots of metadata that would be the same for each event?

How to configure parameter for TailingProcessor to automatically retry reading a file after failing?

What's the trick to get unarchive_cmd to work for a custom archive format?

How to change IDS logs to JSON format and index in Splunk?

Do I need to create a transforms.conf file in addition to props.conf to disable truncate for a specific sourcetype?

How to override the sourcetype of events within the same source based on the event format?

How to fix perfmon errors "Object specified...in conf file is not valid"?

Is it possible to run a 6.1.3 universal forwarder with an AIX 5.3?

Is there a way to send data to Splunk over SSL from a third-party device without using a forwarder?

Splunk SDK: Is there a way to set the time of an event created from Submit?

Splunk Universal Forwarder stopped working

Interpreting errors after deleting Splunk log files

Firewall indexing latency: How to track when syslog is read by file monitor when the log is seen in search GUI?

Is it possible to modify a log that has already been indexed?

props.conf time_format appears to be ignored even though data preview works correctly

Splunk 5 as VM and using Nimble Storage for shared storage

Is it possible to manage all saved searches in a custom app?

Question about sourcetypes and use of 'collect' command.

How can I calculate Max index size to meet data retention needs?

fschange not working

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...