Getting Data In

Discussions

Thread Info

Do you have to upgrade universal forwarders when upgrading Splunk Enterprise?

When upgrading splunk enterprise do you have to upgrade the universal forwarders also. Running 5.0.2 enterprise and 5...

by Engager in

Routing Data to specific index based on filename

We need to route data to specific indexes based on the file names being monitored. We are trying to get the data from...

by Communicator in

Altering sourcetype based on source in props.conf

Hi, I'm trying to figure out where I'm going wrong with this. My setup consists of an indexer and several universa...

by Explorer in

Retention doesn't work - what's wrong ?

Hi, we configured retention policy based on the below parameters. However it doesn't work. There is no clue in the...

by Explorer in

How to rename sourcetype in props.conf?

Hi, After setting up a listen on UDP port (514) for syslog using inputs.conf, I tried to change the sourcetype fr...

by Explorer in

How to configure Splunk to index only security events from Windows machines?

Can Splunk be configured to index only security events (failed logins, authorization changes, etc) from Windows machi...

by New Member in

Configuration to forward log files to separate indexes

Hello! I have an application that sends two different .log files to the C:\\Program Files (x86)\\Application\_Data...

by Explorer in

Why is Splunk Truncating Multi-line Events?

I'm indexing some Java application log files that use the log4j framework to output log messages. The log files are i...

by Explorer in

Add field to all events from host

Hi There, I am working on an enterprise installation. At the moment we have 1500+ hosts sending data. I'd like eac...

by Communicator in

Remove events to avoid delayed logging?

Our generated logs need to be verified for correctness. After verification, they are sent to splunk. Problem is t...

by Engager in

Splunk not applying time zone properly in clustered environment

Hi, As per Splunk documentation, Splunk applies time zone in the following order Splunk Enterprise uses any tim...

by Influencer in

filter indexing with transform

Hi, I want to only index result of this before the log flow enter the index. I want it to calculate this and then ent...

by Explorer in

Master clustering dashboard - how to get status?

On a master node, the clustering dashboard has a column called 'status' for indexers and search heads. They're either...

by Explorer in

Splunk web app not receiving message from client

Hi All, I am new to this splunk community and as such usage of splunk in general. I have a unit which is configure...

by Explorer in

Prevent escaping of special characters

Hi there, I'm reading files with fixed width fields into splunk. For extraction and masking of dedicated fields I ...

by Path Finder in

Line Break multiple access logs

I need to line break, starting at the IP and end with the time. ex: 74.100.11.60 xx.x.xxx.xxx:59726 - Unauthentica...

by Communicator in

How to send events from same path to different indexes depending on host using a single deployment?

Hello. Here's my situation. I am using the deployment server to push deployments to universal forwarders and would li...

by Builder in

Specific props.conf stanza type and supporting documentation?

I've noticed in another Splunk environment at my site that they've set up what appear to be undocumented stanzas in p...

by Contributor in

Missing columns when exporting to CSV

Hello, I have a search that returns 3 columns of data allowing us to check the first logon of the day (or last log...

by Path Finder in

Lookup field and use it as "Text Form Input Element"

Hi, is it possible to add field via lookup and use this as text form input element? I tried it out by using this x...

by Motivator in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Do you have to upgrade universal forwarders when upgrading Splunk Enterprise?

Routing Data to specific index based on filename

Altering sourcetype based on source in props.conf

Retention doesn't work - what's wrong ?

How to rename sourcetype in props.conf?

How to configure Splunk to index only security events from Windows machines?

Configuration to forward log files to separate indexes

Why is Splunk Truncating Multi-line Events?

Add field to all events from host

Remove events to avoid delayed logging?

Splunk not applying time zone properly in clustered environment

filter indexing with transform

Master clustering dashboard - how to get status?

Splunk web app not receiving message from client

Prevent escaping of special characters

Line Break multiple access logs

How to send events from same path to different indexes depending on host using a single deployment?

Specific props.conf stanza type and supporting documentation?

Missing columns when exporting to CSV

Lookup field and use it as "Text Form Input Element"

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Receiving error that “could not load lookup xxx” w...

Do we have a Splunk script that will tell us the t...

Documentation for AWS app for S3

Why are Splunk some logs missing from kiwi syslog?

Get Blob Data W/O Key or SAS Token (use service ac...