Getting Data In

Discussions

Thread Info

Why am I losing events when neither the cold path usage or maxage are being met?

I have an index I'm using to backfill a bunch of data, and as I'm tracking the event count by sources, I'm seeing spl...

by Contributor in

Splunk Forwarder support by Splunk

Hi - We are upgrading Splunk to 7.2.8 since 7.0 is out of support. the Universal forwarders are not mentioned in the ...

by New Member in

How to change timezone of a timestamp in results of search?

I have created a query that tracks the Start and End Time of a given job. These start and end times are calculated by...

by Engager in

what should I do if the Indexers don't receive logs for a syslog server-based log file, for more than 5 minutes

Syslog Server Source Feed Check' was triggered. It is raised when the Indexers don't receive logs for a syslog server...

by Engager in

Replacing backslash not working in SEDCMD after re-directing through transforms.conf and applying it in props.conf.

Hi, I am trying to escape backslash character from json data. It works when I apply SEDCMD definations in props.co...

by Engager in

Splunk UF Deployment - Possible Issues

Hello. We are planning on deploying UFs across our enterprise ~ 3000 systems. Currently, we have deployed UFs to 50 s...

by Explorer in

Lots of log files, how can I reduce forwarder memory usage?

The forwarder is using 4.3 GB memory. I think that is insane. OS: Windows 2008 R2 Splunk 4.2.3 The folder I am mon...

by Path Finder in

_indextime is 5 hrs ahead of event time (_time)

Hi, We have Splunk Enterprise 7.2.6 in our environment. I noticed there are latencies (difference between _time an...

by New Member in

Active Directory - Admon limits approx 1000 assets

Hi splunkers ! I ve just configured active directory monitoring based on Splunk 7.3 Active Directory inputs. The A...

by Communicator in

Index gzipped files without .gz extension

Hi, I am trying to index gzipped files that do not have the .gz extension on a window universal forwarder. Fir...

by Motivator in

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

Hi, I have the following log format, How can I break this multiline event, with the condition if the date is changed ...

by Explorer in

Do Universal Forwarders need a license master?

When I restart the Splunk Universal forwarder, the following warnings get logged (to the _internal index): 07-07-2...

by Communicator in

How to transform multiple timestamps in an event

I have an event that prints the actual time which Splunk metadata has, but instead, I want to use the other timestamp...

by New Member in

How do i convert a Json Multi key value pair to multi line chart

Hi I have X number of "totalHitCount" in a JSON file (mtr.gauges.caching_metrics.nodes{}.totalHitCount). Within mu...

by Motivator in

Splunk_TA_Windows Winregistry Sourcetype missing?

All, Just working with SplunkTAWindows today and noticed that there is no specified sourcetype in inputs.conf and...

by Builder in

Splunk DBConnect and retention

Hi All, I am wondering how does the retention works when I am ingesting data which is older than the actual reten...

by Explorer in

Logging to Job Inspector from Custom Search Command

Hi folks. I have a custom search command and I am using self.logger to log messages from the command. Please see my l...

by Engager in

What is best practices for forwarders and an index cluster?

Good morning all, I am building a lab environment at AWS and I would like to know which one is the best approach f...

by New Member in

Master Class

I got to manage some indexers, I seek this can be done by master class server. How do i configure it?

by Explorer in

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

Hi All - Just discovered Splunk, and I must say it's an amazing tool. I've configured a router to send syslog m...

by Engager in

Getting Data In

Discussions

Why am I losing events when neither the cold path usage or maxage are being met?

Splunk Forwarder support by Splunk

How to change timezone of a timestamp in results of search?

what should I do if the Indexers don't receive logs for a syslog server-based log file, for more than 5 minutes

Replacing backslash not working in SEDCMD after re-directing through transforms.conf and applying it in props.conf.

Splunk UF Deployment - Possible Issues

Lots of log files, how can I reduce forwarder memory usage?

_indextime is 5 hrs ahead of event time (_time)

Active Directory - Admon limits approx 1000 assets

Index gzipped files without .gz extension

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

Do Universal Forwarders need a license master?

How to transform multiple timestamps in an event

How do i convert a Json Multi key value pair to multi line chart

Splunk_TA_Windows Winregistry Sourcetype missing?

Splunk DBConnect and retention

Logging to Job Inspector from Custom Search Command

What is best practices for forwarders and an index cluster?

Master Class

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

Module 4 data upload fail without errors

serverclass.conf whitelist from pathname not worki...

How to produce stats with based on a field clientI...

Connect to your Azure Storage account with the Spl...

DataParserVerbose - Accepted time format has chang...