Getting Data In

Discussions

Thread Info

Wrong originating host when forwarding syslog from indexer to third party?

Hi, i have a weird problem with forwarding logs from my apache servers to both spunk and a 3rd party syslog server...

by New Member in

Reset frozenTimePeriodInSecs

How often does Splunk check for aged data and reclaim disk space? I reset the frozenTimePeriodInSecs on an indexer fr...

by Builder in

Indexer Configuration

We have 3 new HP Red Hat Servers we need to install with 13 already running. All of them have 8 drives and the new on...

by Builder in

Windows Failed Login Top Ten count

I am trying to get the top 10 Failed Login count by User. The problem is that Windows 2008 uses "Account_Name" and Wi...

by Explorer in

Is it possible to check sed performance in props.conf?

Is there a way to test the performance of sed scripts running in props.conf? I'm not an expert in regular expressions...

by Builder in

which format is efficient for splunk indexing : XML or JSON

Hi Which is best format to index for the splunk indexer XML or JSON... what is recommendation from SPlunk like whi...

by Explorer in

Splunk catalina.out for java.lang.OutOfMemoryError: PermGen space on remote VM

I am trying to setup Splunk to monitor a remote tomcat instance ( catalina.out ) for messages like permGen Running ou...

by Explorer in

bucket retention and frozenTimePeriodInSecs

My index has a retention of 6 months with frozenTimePeriodInSecs=15552000. But I still see some events that are olde...

by Communicator in

How to calculate volume of events across various indexes ?

All I want to do is create a query that fetches the below result Day Index-name Volume 4/1 abc 5GB 4/2 abc 8GB 4/3...

by Path Finder in

Setting a maximum limit on a monitored file

We just had an application bug that spewed millions of duplicate messages into a Splunk monitored logfile. This cause...

by Engager in

Upgraded Universal Forwarder, log file no longer monitored

Hey all, I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder w...

by Path Finder in

How to index data from a local process

I'm using a Splunk forwarder to forward data from an application running on the same Linux box as my forwarder. O...

by Path Finder in

Fast way to find size of events on disk for a time period

Often times, we are tasked with deleting data out of an index to trim it down. Generally, we do this by setting the f...

by Explorer in

Universal Forwarder to monitor Windows Event Logs

Hi, This is probably very basic, but I'm not sure where the actual log file sits for Windows Event Logs. Tryin...

by Communicator in

Windows 2008 Server Event Viewer Logs

In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Se...

by Communicator in

need props.conf for custom log

I have a custom log in the format where each new record has a entry followed by a pipe (|) example log: ...

by Explorer in

Can I specify TimeZone (TZ) by Index?

In my props.conf I know I can change: $SPLUNK_HOME/etc/system/local/ and add: [source::xyz123] TZ=US/Eastern or by ho...

by Contributor in

Reconcile hosts from multiple timezones in splunk?

Hey everyone. I'm wondering how this is possible to accomplish - we have windows server farms across numerous timezo...

by Builder in

Universal Forwarder block stops all indexing completely

Hi All, We have a customer who could not justify the cost of a clustered solution. So they went down the following...

by Builder in

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and ...

by Splunk Employee in

how do you configure the searchead so it sends summary index data to a summary index defined on distributed indexers?

I want to be able to use the search GUI to create summary index searches, but i want the actual resulting summary ind...

by Communicator in

Splunk Universal Forwarders attempting to communicate with indexer on wrong network

We've installed and are evaluating Splunk Enterprise 6.0 in a Windows environment (desktops are running Windows 7 Pro...

by Explorer in

Universal forwarder scripted install

Does anyone know if it is possible to automatically add the current_only = [0|1] attribute in a scripted Universal Fo...

by Explorer in

Unable to Start Splunk Service on Windows- failed with ERROR ConfObjectManagerDB - Cannot initialize: D:\Program Files\Splunk\etc\apps\ learned\metadata\default.meta: The operation completed successfully."

We are able to start splunk services - But getting following error while starting the services in Heavy Forwarder ...

by Splunk Employee in

How do I get an alert if my forwarder is not responding? - Monitoring Splunk Forwarder

Recently some of our universal forwarders stopped sending events to indexer? Is there a way to get an alert if for...

by Explorer in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Wrong originating host when forwarding syslog from indexer to third party?

Reset frozenTimePeriodInSecs

Indexer Configuration

Windows Failed Login Top Ten count

Is it possible to check sed performance in props.conf?

which format is efficient for splunk indexing : XML or JSON

Splunk catalina.out for java.lang.OutOfMemoryError: PermGen space on remote VM

bucket retention and frozenTimePeriodInSecs

How to calculate volume of events across various indexes ?

Setting a maximum limit on a monitored file

Upgraded Universal Forwarder, log file no longer monitored

How to index data from a local process

Fast way to find size of events on disk for a time period

Universal Forwarder to monitor Windows Event Logs

Windows 2008 Server Event Viewer Logs

need props.conf for custom log

Can I specify TimeZone (TZ) by Index?

Reconcile hosts from multiple timezones in splunk?

Universal Forwarder block stops all indexing completely

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

how do you configure the searchead so it sends summary index data to a summary index defined on distributed indexers?

Splunk Universal Forwarders attempting to communicate with indexer on wrong network

Universal forwarder scripted install

Unable to Start Splunk Service on Windows- failed with ERROR ConfObjectManagerDB - Cannot initialize: D:\Program Files\Splunk\etc\apps\ learned\metadata\default.meta: The operation completed successfully."

How do I get an alert if my forwarder is not responding? - Monitoring Splunk Forwarder

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

How to combine multiple data input into one with d...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

splunkd.log errors and broken fishbucket on splunk...

update to Splunk Add-on for Infoblox?