Getting Data In

Discussions

Thread Info

Possible to merge two existing search heads on one host without pooling?

Currently I am working with two hosts that have search head and indexer functionality. I am looking at moving the sea...

by Engager in

How do I configure the forwarder local inputs config file for more than one host

[default] host = host1,host,2 etc

by Explorer in

Why are interesting fields missing after importing a large CSV file with 100 fields?

I am importing a CSV with around 100 fields. When importing, I see the review screen and it shows all of the fields a...

by Explorer in

How to find the time difference for the duration of a session?

I am trying to avoid using a join so I use an append. The whole reason behind this is to calculate the duration of a ...

by Path Finder in

Accessing SharePoint directories using UNC: Why splunkd.log shows "Monitoring file or directory that doesn't exist at startup time"?

I am trying to use fschange to monitor some SharePoint directories. As a user on my remote forwarder box I can access...

by Path Finder in

How to prevent columns in a CSV file from displaying in a report?

I have a csv file having 5 columns but I want to display only 3 columns..how can I limit the columns in the report. ...

by Explorer in

User Unable to Delete Own Saved Searches

Hey guys, one of my users encountered an issue where he is unable to delete his own saved search. Even though he is l...

by Explorer in

What is the best way to automatically map a field extracted via KV_MODE=auto to the host field in the event?

I have a feed that has nice key-value pair fields, which are automatically getting populated, via KV_MODE=auto in my ...

by Champion in

Unable to re-index all data

I'm trying to re-index some old data now that I've changed what index it goes into and The data comes in from a U...

by Explorer in

How to use sourcetype to route data from a heavy forwarder to a specific index?

I am trying to route data from a heavy forwarder to a specific index. I would prefer the rule be run on the indexers ...

by Communicator in

forward from windows machine problem

I have installed a universial forwarder on a windows machine and having it send to my splunk machine. The problem is...

by Path Finder in

How to configure props.conf and/or transforms.conf to filter out events with a specific sourcetype?

I am working on what should be a very easy filter, but cannot get it to work. I want to filter out events with source...

by Communicator in

Resetting Remote Windows Event collection "starting point"

While testing some training materials, I created a temporary index and a remote windows event collection input for my...

by SplunkTrust in

How to query data on an index that is monitoring a directory with CSV files?

Hi Experts, Can anyone please tell me how to write a search query on index which is monitoring a directory having ...

by Explorer in

How do I suppress web page pop-up when I uninstall Splunk?

Hi, I'm building a hands-off LWF installer to be pushed out to Windows servers that removes older versions of Splu...

by Path Finder in

Applications and Services Logs

Hello, i want to collect events in the Windows 2008 (r2) event logs -> "Application and Services Logs" -> "microso...

by Engager in

Distributed Environment: Why one indexer is receiving more data than another from the universal forwarder?

Hello Experts, I would like to thank whoever has been helping me out for the past couple of days. I have setup a litt...

by Motivator in

inputs.conf whitelist blacklist question

Greetings I have trying to gather logs by sifting through three levels of the file system with a white list and bl...

by Communicator in

How to filter out or send to a null queue windows event logs with universal forwarder 6.x?

i'm using UF6 and I want to filter out or send to a null queue uninteresting Windows events with UF6.

by Engager in

Field extractions don't work for forwarded input from Universal Forwarder

I have a custom source type and field extractions which work perfectly well when indexed locally on the Splunk Enterp...

by Explorer in

Why am I getting error "Couldn't establish REST service for SplunkRestAppender named 'splunkrest'" trying to integrate Splunk with log4j?

I am trying to run Example logging in https://github.com/damiendallimore/SplunkJavaLogging with log4j configurations....

by New Member in

How to determine index volume by sourcetype?

Hello, How can I determine the index volume by sourcetype? The reason why I ask is because occasionally I'll have ...

by Builder in

SPL-70250 Abuse of test script mechanism

Does this vulnerability include installs of the universal forwarders for the versions listed (5.0.4 and earlier) or d...

by New Member in

How to merge multi-line messages to one event in search query

Hi All We want to index multiline log messages with no timestamp as one event. But regular expression for multi...

by Path Finder in

How search the latest timestamp of each event type in our data?

We run a query that produces a count of each event type, but we also want to know when was the last time the event ra...

by Communicator in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Possible to merge two existing search heads on one host without pooling?

How do I configure the forwarder local inputs config file for more than one host

Why are interesting fields missing after importing a large CSV file with 100 fields?

How to find the time difference for the duration of a session?

Accessing SharePoint directories using UNC: Why splunkd.log shows "Monitoring file or directory that doesn't exist at startup time"?

How to prevent columns in a CSV file from displaying in a report?

User Unable to Delete Own Saved Searches

What is the best way to automatically map a field extracted via KV_MODE=auto to the host field in the event?

Unable to re-index all data

How to use sourcetype to route data from a heavy forwarder to a specific index?

forward from windows machine problem

How to configure props.conf and/or transforms.conf to filter out events with a specific sourcetype?

Resetting Remote Windows Event collection "starting point"

How to query data on an index that is monitoring a directory with CSV files?

How do I suppress web page pop-up when I uninstall Splunk?

Applications and Services Logs

Distributed Environment: Why one indexer is receiving more data than another from the universal forwarder?

inputs.conf whitelist blacklist question

How to filter out or send to a null queue windows event logs with universal forwarder 6.x?

Field extractions don't work for forwarded input from Universal Forwarder

Why am I getting error "Couldn't establish REST service for SplunkRestAppender named 'splunkrest'" trying to integrate Splunk with log4j?

How to determine index volume by sourcetype?

SPL-70250 Abuse of test script mechanism

How to merge multi-line messages to one event in search query

How search the latest timestamp of each event type in our data?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Parsing Multimetric Logs

SC4S Syslog server update fails during download wi...

SplunkForwarder flooding splunkd.log with reconnec...

Event break multiline PowerShell Transcript Log

uberAgent

Getting Data In

Are you a member of the Splunk Community?

Discussions