Getting Data In

Thread Info

How to configure SSL universal forwarder and receiver?

hey I configure an SSL forward. But I have this error : Forwarder - Error : TcpInputConfig - SSL clause not...

by New Member in

How to monitor .pfx file in splunk ?

Can we able to monitor .pfx - (Certificate file) in splunk Is there any specific sourcetype already pre-defined for i...

by Motivator in

How to customize nullqueue and indexqueue filtering with new patterns over time?

Hi, I have a scenario like this: I want to filter data using NullQueue and IndexQueue. I also have the patterns with ...

by Communicator in

How do I forward specific Splunk 5.x indexes to Splunk 6.x?

I'm trying to forward specific indexes to a test splunk box with the latest version. So, I set forwarding defaults to...

by Communicator in

How to write regex to create new events before a certain time format?

Hi, Please some help me to create new event if i find HH:MM:SS time format in logs for sourcetype perfLog. I ha...

by Communicator in

How to troubleshoot busy queues reaching near peak values of 100%?

Hi, I noticed today that a number of my queues (aggqueu, indexqueue, parsingqueue, typingqueue) are reaching near ...

by Champion in

Can I set Splunk Forwarder Memory Use Limit?

We have forwarders installed on our Domain Controllers to get the Windows event logs. Our Domain Admin is excited abo...

by Communicator in

Splunk 6 REST API - Delete Custom Dashboards

Hi, In our application, we are using the REST API to create / delete custom dashboards in splunk. For delete, w...

by Engager in

What will be the size of the indexed data if I send 50GB of raw data to Splunk?

I send daily 50 GB raw data from my machines to Splunk for indexing what will be the size of the data after it got in...

by Motivator in

Which takes precedence - frozenTimePeriodInSeconds or maxTotalDataSizeMB

Hi, Which takes precedence in indexes.conf - frozenTimePeriodInSeconds or maxTotalDataSizeMB? Also, if I set maxTo...

by Champion in

If props.conf is used on a universal forwarder, does the parsing automatically happen there?

I downloaded the Windows App TA, which has props.conf settings that go on the UF TA. I am now noticing that when I...

by Communicator in

How to clone a saved search via REST API command? Is there documentation on this?

How would I clone a saved search via the REST API? I do not see any documentation in the REST API endpoints regarding...

by Path Finder in

Why is Splunk forwarder is not forwarding events?

Hi, We have installed Splunk to forward audit logs from LDAP to server02 and are not getting any events from the s...

by New Member in

How to forward logs from one Splunk server to another Splunk server?

Can you please tell us, how to forward the logs from one splunk server to another. because we are already receiving l...

by Builder in

Why is nullQueue configuration not working?

/opt/splunk/etc/system/local/transforms.conf [WhirlpoolMWGBad] REGEX=200 DEST_KEY=queue FORMAT=nullQueue /opt/...

by Contributor in

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most v...

by Explorer in

Where do I point my REST API if I have search head pooling configured?

Hi, If I have Search-Head-Pooling configured, where do I point my REST API? To a physical server? If so, doesn't t...

by Champion in

Can a universal forwarder send cooked data to a 3rd party receiver over tcp?

Hi, Can the UFW send cooked data to a 3rd party receiver over tcp?

by Champion in

Can a 6.1.3 forwarder forward data to a 4.3.2 server?

I have a 6.1.3 new forwarder set to forward to an installed 4.3.2 server. Will this work, or am I required to upgrade...

by New Member in

Does outputs.conf get created when installing from CLI?

Hi All, I'm trying to install the Universal Forwarder via Command Line but I am running into some issues. Versi...

by Engager in

Is it possible to re-index file data for a specific source or sourcetype in Splunk?

Hi, I have requirement where i wants to re-index file data for specific sourcetype or source ? Is it possible t...

by Communicator in

Splunk Architecture for Production

Hi, We have 140 production servers, where we are planning to install universal forwarders. Further we need to do pro...

by Communicator in

Why do I always get an error trying to connect Splunk DB Connect to Informix database?

Hi, I am trying to connect Splunk Db Connect to informix database but I always get an error when I am saving the ...

by Path Finder in

How to forward _internal events to indexer, but keep them locally on deployment server?

I am working with the following architecture: Search HeadMultiple IndexersDeployment Server / License Master We...

by Explorer in

Is it possible to use an indexer's IP address for output on universal forwarder, but display the host name on the indexer?

Hi, Is there a way to use the IP address of the indexer on the universal forwarder but have the name of the host d...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

How to configure SSL universal forwarder and receiver?

How to monitor .pfx file in splunk ?

How to customize nullqueue and indexqueue filtering with new patterns over time?

How do I forward specific Splunk 5.x indexes to Splunk 6.x?

How to write regex to create new events before a certain time format?

How to troubleshoot busy queues reaching near peak values of 100%?

Can I set Splunk Forwarder Memory Use Limit?

Splunk 6 REST API - Delete Custom Dashboards

What will be the size of the indexed data if I send 50GB of raw data to Splunk?

Which takes precedence - frozenTimePeriodInSeconds or maxTotalDataSizeMB

If props.conf is used on a universal forwarder, does the parsing automatically happen there?

How to clone a saved search via REST API command? Is there documentation on this?

Why is Splunk forwarder is not forwarding events?

How to forward logs from one Splunk server to another Splunk server?

Why is nullQueue configuration not working?

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

Where do I point my REST API if I have search head pooling configured?

Can a universal forwarder send cooked data to a 3rd party receiver over tcp?

Can a 6.1.3 forwarder forward data to a 4.3.2 server?

Does outputs.conf get created when installing from CLI?

Is it possible to re-index file data for a specific source or sourcetype in Splunk?

Splunk Architecture for Production

Why do I always get an error trying to connect Splunk DB Connect to Informix database?

How to forward _internal events to indexer, but keep them locally on deployment server?

Is it possible to use an indexer's IP address for output on universal forwarder, but display the host name on the indexer?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

How to add 2 separate filters to a single _raw spl...

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

Getting Data In

Are you a member of the Splunk Community?

Discussions