Getting Data In

Ask a Question

Discussions

Thread Info

Any idea why the timestamp of data that send via logstash, change when stored in Splunk index?

Hitimestamp of data that send via logstash change when store in splunk index. what is the reason? index="influx2sp...

by Motivator in

How to set workload management rules?

Hi, I'm trying to set 2 rules in my workload management pool - search_type=adhoc AND runtime>1m -> Move search ...

by Explorer in

Why is spath returning duplicate value for fields?

Hi I'm trying to use spath to break doen json log, but it duplicates these two fields "time" and "@timestamp" when I ...

by Motivator in

Unable to initialize modular input "WinEventLog" after server restart

Having this intermittent problem with UF on multiple servers where it occasionally fails to start up the WinEventLog ...

by Explorer in

How to achieve different index based on receiving port on heavy forwarder?

Hi All, We are collecting different logs from same source on different UDP ports on Heavy forwarder. Heavy forward...

by Explorer in

Why are Indexers not processing "Discard specific events and keep the rest"?

Hi, I wana keep only logs Not containing the word "chatbot". This word is present in the _raw data I'm ...

by Path Finder in

Best Practice for Splunk to collect rolling logs

The app write log entries to a log file, say /var/theapp/thelogfile.log. The app is configured to roll the log file...

by Explorer in

Regex transforms not applied on Windows event logs

I wish to remove unneeded text from Windows event logs before they are indexed. Specifically, Windows event 4624 cont...

by Explorer in

How to filter windows event logs in forwarder based on event codes?

Hi, I am trying to pull event logs from remote machines using universal forwarders. I have done the configuration ...

by Engager in

Splunk Permission denied for log files

We are using Splunk Enterprise server to send logs to be indexed. The monitor config is stored in '/opt/splunk/etc/sy...

by Observer in

Failures to restart the UF in Windows

Hi! What are some common causes of failures to restart the Splunk Universal Forwarder in windows? Thank you!

by Engager in

Search results 5 times actual events for JSON data

Greetings community experts Search results for JSON data received via curl and Rest API from AWS are five times the...

by Path Finder in

How to get data in from DMZ servers?

Hello, I have a few Linux devices that are located within the DMZ. My 3 Splunk servers (Search Head, Indexer, Dep...

by Path Finder in

How to set a source_type for CSV with headers?

Hi, I'm trying to set a source_type for CSV files that contains headers, and the fields are extracted fine.The pro...

by Loves-to-Learn Lots in

How to achieve SEDCMD raw event size reduction?

Hello community, I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events. I ...

by Communicator in

How to create custom source type to add metadata fields to each row and parse an array?

Hi, following ticket: https://community.splunk.com/t5/Splunk-Search/Join-all-objects-with-specific-object-within-th...

by Path Finder in

How to filter WinEventLog using SEDCMD?

Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an ex...

by Communicator in

How to search for blocked dns/urls in my logs?

I have created a lookup table for the blocked dns/url. I want to see if there are anywhere in my logs or in my enviro...

by Path Finder in

JSON data search stats count(field) by (field) result 5x count from single event

Greetings experts Big picture: using Bash script and curl to download Rest API/JSON from an AWS instance. The begi...

by Path Finder in

WinEventLog sourcetype do not match when applied in SEDCMD

Hello, community, I am having a problem understanding why the WinEventLog sourcetype cannot be accepted as other so...

by Communicator in

How to achieve lookup multiple field but append the missing value?

How do I perform lookup multiple field but append the missing value. ThanksFor example:Table A:Name Role ...

by Motivator in

Why is Splunk OneShot not working?

Hi all, Having a strange issue. splunk add oneshot suddenly stops working. I have tried to re-read a file using...

by Explorer in

How to test a linux forwarder connection to deployment server?

Hello, I've completed the following: 1. Installed Linux forwarder. 2. Assigned ownership and permissions to...

by Path Finder in

Help with SEDCMD Regex SPL for testing purposes

Hello clever people, Would anyone be able to help me build a regex that would work on a SPL level e.g something li...

by Communicator in

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cl...

by Engager in

Get Updates on the Splunk Community!

Getting Data In

Discussions

Any idea why the timestamp of data that send via logstash, change when stored in Splunk index?

How to set workload management rules?

Why is spath returning duplicate value for fields?

Unable to initialize modular input "WinEventLog" after server restart

How to achieve different index based on receiving port on heavy forwarder?

Why are Indexers not processing "Discard specific events and keep the rest"?

Best Practice for Splunk to collect rolling logs

Regex transforms not applied on Windows event logs

How to filter windows event logs in forwarder based on event codes?

Splunk Permission denied for log files

Failures to restart the UF in Windows

Search results 5 times actual events for JSON data

How to get data in from DMZ servers?

How to set a source_type for CSV with headers?

How to achieve SEDCMD raw event size reduction?

How to create custom source type to add metadata fields to each row and parse an array?

How to filter WinEventLog using SEDCMD?

How to search for blocked dns/urls in my logs?

JSON data search stats count(field) by (field) result 5x count from single event

WinEventLog sourcetype do not match when applied in SEDCMD

How to achieve lookup multiple field but append the missing value?

Why is Splunk OneShot not working?

How to test a linux forwarder connection to deployment server?

Help with SEDCMD Regex SPL for testing purposes

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

uberAgent

.NET Application Runtime Metrics Not Showing in Sp...

Streamfwd drops IPFIX data with “no template recei...

Splunk Observability Cloud/SignalFx - Related Cont...

Splunk Answers Content Calendar May 2025

Getting Data In

Are you a member of the Splunk Community?

Discussions