Getting Data In

Discussions

Thread Info

Why are my headers are getting indexed as events every 1 hour?

Hi, I'm facing a strange issue. Header rows are getting extracted as events every 1 hour. I have files flowing int...

by Communicator in

How to set line breaker after a certain number of fields has been read?

I have a csv file which has 13 columns. For some reason Splunk sometime append the next line of the csv into the same...

by Contributor in

How analyse the latest version of a growing csv?

Hi, I want to import a growing .csv every week, so there will be duplicate events. In the report I only want to an...

by Motivator in

Duration between messages

Hi, I have messages in Splunk like: { [-] id: ABC message: test1 timestamp: 2017-08-07T16:38:38+00:00 } { [-] id...

by New Member in

Why is my EVAL configuration in props.conf on the Search Head not processing?

I'm working with data that is being sent from a universal forwarder (UF) on the server. I do an INDEXED_EXTRACTION in...

by Contributor in

How to display a log based off of fields from multiple logs

I'm not 100% sure how to title this question so please let me know if you have a suggestion on how to re-title it and...

by Explorer in

How can I filter my search for a field only if the result is not a number?

I am trying to filter my search for a field only if the result is not a number EG Index=proxylogs where isnum(cs_u...

by Engager in

What is the harm of using auto_high_volume on smaller indexes?

Hi, I found myself on a site where EVERY index is configured auto_high_volume. I'm aware that it is best practice ...

by Communicator in

Why are some keys in license_usage.log empty?

I'm trying to use the license_usage.log as a way to track source(type) volume on a per index basis, something not rea...

by Influencer in

How can I display zero-value/empty time when using stats?

Search: index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats count(eval(searchma...

by New Member in

Use Splunk SDK for Python to populate a lookup from a CSV file

I would like to populate the data inside of a lookup file from a .csv on a local computer. Is there a way to use the ...

by Explorer in

Why am I not receiving any data from my new sourcetype in inputs.conf?

I have decided to use a different sourcetype for some logs which are already going into splunk (every 2 mins or so) ...

by New Member in

How to prevent curly brackets from showing up in JSON field names?

Hi folks, I'm trying to ingest some JSON data into Splunk, which it handles wonderfully, but I am getting curly br...

by Communicator in

How to specify source stanza for non-file input types in props.conf

I am trying to write some source:: stanzas in props.conf to forward data to another system. For file inputs (e.g., mo...

by Path Finder in

How can we send our firewall logs directly to an indexer (without a heavy forwarder)?

We have two indexers and 1 search head in our environment. We are going to integrate a Cisco ASA firewall with Splunk...

by New Member in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Why are my headers are getting indexed as events every 1 hour?

How to set line breaker after a certain number of fields has been read?

How analyse the latest version of a growing csv?

Duration between messages

Why is my EVAL configuration in props.conf on the Search Head not processing?

How to display a log based off of fields from multiple logs

How can I filter my search for a field only if the result is not a number?

What is the harm of using auto_high_volume on smaller indexes?

Why are some keys in license_usage.log empty?

How can I display zero-value/empty time when using stats?

Use Splunk SDK for Python to populate a lookup from a CSV file

Why am I not receiving any data from my new sourcetype in inputs.conf?

How to prevent curly brackets from showing up in JSON field names?

How to specify source stanza for non-file input types in props.conf

How can we send our firewall logs directly to an indexer (without a heavy forwarder)?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

Suggestions Please: REST Api, csv,html

Can you use ingest actions against _raw?

Can Data Manager import Cloudwatch ECS Fargate log...

cisco sdwan & cloud splunk: how to get data_input

Assistance Needed: Reformatting Provided Events to...