Getting Data In

Community Activity

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing? Hi all, I want the "date" field to be used as timestamp. However, in some of the events this field is missing and so... by saileec Engager in Getting Data In 11-19-2014 0 3	0	3
Command-line syntax to deploy universal forwarder with SSL certificates? Based on the documentation provided, the proper command-line arguments to be used when deploying certificates is CERT... by vonStauf Explorer in Getting Data In 11-19-2014 1 1	1	1
How to remove sources from disk via CLI? Hello, We’re looking to remove data from one of our indexes, preferably using the clean operator from the CLI. We h... by Benlavender Explorer in Getting Data In 11-19-2014 0 1	0	1
Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux? I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows Connection to ho... by nitheeshp86 New Member in Getting Data In 11-19-2014 0 1	0	1
Why am I getting errors failing to parse a Unix timestamp with my current configuration? I have unix timestamp in my data file . review/time: 1182816000 review/summary: Periwinkle... To parse this timesta... by akshaybahetii New Member in Getting Data In 11-18-2014 0 7	0	7
Error while Redirect 514 to 9997 Hi guys, I have a source that send log via syslog push tcp 514. The configuration is working well on my SPlunk test ... by bgaignon Path Finder in Getting Data In 11-18-2014 0 7	0	7
What happens when distributed search is enabled and one of the indexers goes down? Hello, I've read Splunk documentation on that matter but I'm not able to find my answer. Does anyone know how Splunk... by gnoellbn Explorer in Getting Data In 11-18-2014 0 2	0	2
Is there a way to create an additional index based on a discovered field? I went through the Exploring Splunk book which states that the data is indexed w.r.t. _time, host , source & sourceTy... by mohitab Path Finder in Getting Data In 11-17-2014 0 7	0	7
How to troubleshoot why 90 data data retention configuration is not being applied? I want to freeze all data older than 90 days. My /opt/splunk/etc/system/local/indexes.conf file looks like this [de... by rblalock New Member in Getting Data In 11-17-2014 0 2	0	2
How to configure data inputs to forward files from storage instead of local drives? Hi, i want to forward files from the storage instead of from the local drives, what would be the solution? thks by newbiesplunk Path Finder in Getting Data In 11-17-2014 0 2	0	2
How to configure apache access logs generated in access.log_timestamp format in inputs.conf ? Hi , We have apache access logs generated in below format . access.log_2014.11.11 , access.log_2014.11.12 , ac... by danishdanish1 New Member in Getting Data In 11-17-2014 0 1	0	1
Cant find data added through inputs.conf I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. ... by vaishnavi07 Explorer in Getting Data In 11-17-2014 0 20	0	20
In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer? Hi splunkers, Good day! I have a clustered setup of RF=3 and SF=3. I'm just curious, what if one of my indexers need... by sympatiko Communicator in Getting Data In 11-16-2014 1 6	1	6
When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time? According to Splunk's documentation for props.conf, the ANNOTATE_PUNCT setting "Determines whether to index a special... by mthierbel Explorer in Getting Data In 11-16-2014 0 1	0	1
Unable to parse timestamp from xml tag I am facing problem with timestamp from xml file entry. Following is the sample tag from xml file <row Id="82949" U... by v2k007 Engager in Getting Data In 11-16-2014 0 3	0	3
How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers? I have a ticket in with support but this may be faster. My intermediate forwarder is not working right. When I rest... by hartfoml Motivator in Getting Data In 11-15-2014 1 3	1	3
Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4? I followed the following steps while while upgrading from Splunk 6.1.4 to 6.2, but the Forwarder Inputs section under... by cdo_splunk Splunk Employee in Getting Data In 11-14-2014 1 1	1	1
What are hardware recommendations for servers and indexers in our cluster setup? Hi, Just a newbie here. Im planning to have a RF=3 SF=3 clustered setup with 5GB on a raid 10 a day volume running. ... by sympatiko Communicator in Getting Data In 11-14-2014 1 2	1	2
Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs? Hi Splunkers, I have a strange problem with Microsoft TMG, Splunk can't find the time stamp on one particular event... by btiggemann Path Finder in Getting Data In 11-14-2014 0 2	0	2
How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs? Hi there, We have a Windows Heavy Forwarder which gets Windows logs. We want to send these logs to an external Rsysl... by feliz New Member in Getting Data In 11-14-2014 0 2	0	2
Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured? Hi everybody, I need to set up a system monitor that collects logon and logout data from some Windows machines (serve... by alessandromagri New Member in Getting Data In 11-13-2014 0 3	0	3
How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year? I have seen somewhat similar issues on here, but none that meet my situation. I have a directory on a Windows server... by peter_gianusso Communicator in Getting Data In 11-13-2014 0 4	0	4
Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf? Hallo, I am in the need of anonymizing the second column in a tab-separated log file. I use the method described in ... by keywork Explorer in Getting Data In 11-13-2014 0 5	0	5
search time field extractions using props for an Indexed field Hello Experts, We have a field xyz which holds mac addresses. Problem is, some of the mac addresses are of xx:xx:xx:x... by Raghav2384 Motivator in Getting Data In 11-13-2014 1 10	1	10
How to move internal logs from Deployment Server _internal db to Index Server _internal db? Hello, I'm having a hard time finding a way forwarding all the internal logs from my Deployment server to the Index ... by santiagoaloi Path Finder in Getting Data In 11-13-2014 0 1	0	1

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Getting Data In

How to write regex to identify and use current timestamp for event if the timestamp field in data is missing?

Command-line syntax to deploy universal forwarder with SSL certificates?

How to remove sources from disk via CLI?

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

Error while Redirect 514 to 9997

What happens when distributed search is enabled and one of the indexers goes down?

Is there a way to create an additional index based on a discovered field?

How to troubleshoot why 90 data data retention configuration is not being applied?

How to configure data inputs to forward files from storage instead of local drives?

How to configure apache access logs generated in access.log_timestamp format in inputs.conf ?

Cant find data added through inputs.conf

In a cluster with a replication factor of 3, if one indexer is replaced, will a copy of the data from the 2 working indexers replicate to the new indexer?

When does the ANNOTATE_PUNCT props.conf setting apply? At input-time or index-time?

Unable to parse timestamp from xml tag

How to troubleshoot why my intermediate forwarder is not working, causing 600 universal forwarders to not send data to indexers?

Why can't I see the Forwarder Inputs section under Data Inputs after upgrade from Splunk 6.1.4 to 6.2 and using DB Connect 1.1.4?

What are hardware recommendations for servers and indexers in our cluster setup?

Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs?

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

Why can't I see any Windows data forwarded from a Win7 machine with a universal forwarder installed and monitoring configured?

How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year?

Why is my configuration to anonymize data not working for fields named by FIELD_NAMES in props.conf?

search time field extractions using props for an Indexed field

How to move internal logs from Deployment Server _internal db to Index Server _internal db?

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

CiscoSecurityCloud TA 3.6.7 -eStreamer ingestion f...

SC4S postfilter not dropping Fortigate east-west t...

Transilience AI threat intel feed integration

How to integrate threat armor with splunk?

How to integrate Google Cloud armor with splunk?

Getting Data In

Join the Conversation