Getting Data In

Thread Info

Failures to restart the UF in Windows

Hi! What are some common causes of failures to restart the Splunk Universal Forwarder in windows? Thank you!

by Engager in

Search results 5 times actual events for JSON data

Greetings community experts Search results for JSON data received via curl and Rest API from AWS are five times the...

by Path Finder in

How to get data in from DMZ servers?

Hello, I have a few Linux devices that are located within the DMZ. My 3 Splunk servers (Search Head, Indexer, Dep...

by Path Finder in

How to set a source_type for CSV with headers?

Hi, I'm trying to set a source_type for CSV files that contains headers, and the fields are extracted fine.The pro...

by Loves-to-Learn Lots in

How to achieve SEDCMD raw event size reduction?

Hello community, I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events. I ...

by Communicator in

How to create custom source type to add metadata fields to each row and parse an array?

Hi, following ticket: https://community.splunk.com/t5/Splunk-Search/Join-all-objects-with-specific-object-within-th...

by Path Finder in

How to filter WinEventLog using SEDCMD?

Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an ex...

by Communicator in

How to search for blocked dns/urls in my logs?

I have created a lookup table for the blocked dns/url. I want to see if there are anywhere in my logs or in my enviro...

by Path Finder in

JSON data search stats count(field) by (field) result 5x count from single event

Greetings experts Big picture: using Bash script and curl to download Rest API/JSON from an AWS instance. The begi...

by Path Finder in

WinEventLog sourcetype do not match when applied in SEDCMD

Hello, community, I am having a problem understanding why the WinEventLog sourcetype cannot be accepted as other so...

by Communicator in

How to achieve lookup multiple field but append the missing value?

How do I perform lookup multiple field but append the missing value. ThanksFor example:Table A:Name Role ...

by Motivator in

Why is Splunk OneShot not working?

Hi all, Having a strange issue. splunk add oneshot suddenly stops working. I have tried to re-read a file using...

by Explorer in

How to test a linux forwarder connection to deployment server?

Hello, I've completed the following: 1. Installed Linux forwarder. 2. Assigned ownership and permissions to...

by Path Finder in

Help with SEDCMD Regex SPL for testing purposes

Hello clever people, Would anyone be able to help me build a regex that would work on a SPL level e.g something li...

by Communicator in

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cl...

by Engager in

Why did universal forwarder stop forwarding data?

Hi Community, We have installed Universal forwarder on windows 2019 server and were able to get the data into Splu...

by Engager in

What is causing json messages to not always be indexed?

Hi everyone, For one of our client we are sending in json log data via log4j2 to the splunk cloud HEC token. we...

by Loves-to-Learn Everything in

FortiAnalyzer log interpretation problem

Hi, I am completely new to Splunk and I'm forwarding directly from FortiAnalyzer to Splunk on TCP1514. I have confi...

by Loves-to-Learn in

How to streamline getting Sterling File Gateway data into Splunk more directly?

We are currently using SFG to transfer files, sending fie movement and info data to DB tables, and then using Splunk ...

by Observer in

Why are JSON events coming in as duplicates after using the spath command?

I'm using a bash script to call Cisco ESA API and I get the following JSON events. sourcetype="cisco:esa:api:by:...

by Path Finder in

How to index file with multiline events and intermittently occurring timestamps?

I have a particularly challenging log format and would appreciate any inputs on how to tackle this problem. Proble...

by Path Finder in

How to send data to different index?

Hello I have some kind of data that I want to filter to different index and in the future i would like to stop thi...

by Communicator in

How can I fix logs delay due to timezone difference in the UF server?

Hi All i have a log source in the server timezone is in CST and logs are coming into the server as UTC time zone logs...

by Path Finder in

How to configure active MQ logs to Splunk?

Hi All, Could someone please provide steps to configure Active MQ logs into Splunk in the existing environment. ...

by Engager in

Why are props not working consistently?

Hi Team, I have created a props for line breaking. I have tested it using a process of Add Data and Set sourcetype...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

Failures to restart the UF in Windows

Search results 5 times actual events for JSON data

How to get data in from DMZ servers?

How to set a source_type for CSV with headers?

How to achieve SEDCMD raw event size reduction?

How to create custom source type to add metadata fields to each row and parse an array?

How to filter WinEventLog using SEDCMD?

How to search for blocked dns/urls in my logs?

JSON data search stats count(field) by (field) result 5x count from single event

WinEventLog sourcetype do not match when applied in SEDCMD

How to achieve lookup multiple field but append the missing value?

Why is Splunk OneShot not working?

How to test a linux forwarder connection to deployment server?

Help with SEDCMD Regex SPL for testing purposes

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

Why did universal forwarder stop forwarding data?

What is causing json messages to not always be indexed?

FortiAnalyzer log interpretation problem

How to streamline getting Sterling File Gateway data into Splunk more directly?

Why are JSON events coming in as duplicates after using the spath command?

How to index file with multiline events and intermittently occurring timestamps?

How to send data to different index?

How can I fix logs delay due to timezone difference in the UF server?

How to configure active MQ logs to Splunk?

Why are props not working consistently?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Forwarding all logs from HF to third-party using s...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025 🎉

Getting Data In

Are you a member of the Splunk Community?

Discussions