Getting Data In

Thread Info

heavy forwarder to route base on _raw values

I'm trying to use the heavy forwarder to route data to different indexes based on values in _raw , is this possible ?...

by Communicator in

Log File Monitoring for specific string, rotating log file names, server requirements

Hello, fairly new to splunk. I have 3 servers that all have text based log files on them. We need to monitor those lo...

by New Member in

SNMP Indexing,

Firstly I am new to Splunk (so aplogies if this is very simple.) Secondly I have a working snmp file being written...

by New Member in

fschange blacklist

I want to monitor entire Disk Drives and blacklist all .log files recursively using fschange. The only way I can see ...

by Splunk Employee in

Next debug steps for Windows file monitor input?

I'm trying to monitor files on a Windows server and it isn't working. I've placed a few stanzas like this into etc/de...

by Path Finder in

Set Current only for all in WMI.conf?

We are a 90% Windows environment. Since we upgraded to 4.3.1, the WMI log format has changed ever so slightly. While ...

by Communicator in

rewrite _raw from universal forwarder not working...

I have the following stansas deployed to lightweight forwarders running Windows: props.conf [WinEventLog:Securi...

by Contributor in

How can one get the host and source IP addresses in the event logs instead of hostname ?

Hi, How can one get the host and source IP addresses in the event logs instead of hostname in either places. It is...

by Explorer in

Creating index centrally

Hi, Is there any way of creating indexes on several indexers centrally? For a fairly small indexer-farm, it isn't ...

by Builder in

universalfowarder syslog receive and send

hi universalforwarder receives and send the syslog data to do? If possible, how do?

by Communicator in

Looping through a Macro using a csv lookup?

I have a request from a user who wants to get some stats from the Exchange App around specific users. Namely they're ...

by Builder in

how to sett forwarers to index on path and file name

Is it possible to set up forwarders to index data on the path of the file and a portion of the file name automaticall...

by New Member in

Does maxVolumeDataSizeMB in indexes.conf do anything?

As far as I can tell, setting maxVolumeDataSizeMB does not trigger bucket moves and has no impact at all. Does anyone...

by Explorer in

Error installing any app

When I try to install any app from the zipped file, I get an error like: There was an error processing the upload. ...

by New Member in

Props/transforms rewrite of _raw is adding a blank event

Hi, I am using a props/transforms TRANSFORM to add the source (log file) name to the _raw log event line. props...

by Builder in

Charset Encoding

Hi guys, I have installed Splunk 4.3 on a MAC OSX 10.7. I am trying to index data with non utf encoding. I have...

by Path Finder in

Choosing the correct timestamp

Hi, I'm having a weird problem with recognizing timestamps. The actual timestamp looks like this: [2012-04-11 11:2...

by Builder in

Can I run multiple Universal Forwarders on Windows Server 2008?

I have a Universal Forwarder looking at a directory holding our proxy logs. New logs are dumped into the directory ev...

by Communicator in

universal forwarder

please I need help , I deployed a universal forward by following tutorial "distributed deployement manual" Th...

by Path Finder in

Filtering and sending only specific data

Hi again, I got one question in filtering and routing to indexer. i got my props like this: pros.conf ...

by Explorer in

Segregation of incoming data

In our environment (mid-size enterprise with remote sites) we have our primary indexer on dedicated hardware. All dat...

by Engager in

Indexing content that may contain in-line gzip

We need to index content that may contain in-line gzip (or other compression) content. We do not need to search on th...

by New Member in

Why won't Splunk re-index my data?

I wanted to see how Splunk would index my data, so I configured it to index a few files into a 'test' index. Now that...

by Splunk Employee in

Major discrepancy between per_sourcetype_thruput and tcpin_connections - which is right?

I'm looking at a Splunk instance right now that is getting 99+% of its data as one particular sourcetype, from two he...

by Motivator in

warning and violations, how to reduce my indexed volume ?

Hi I have a license pool for X Gb per day, and I blow it every almost every single day. How to selectively reduce my...

by Communicator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Getting Data In

Discussions

heavy forwarder to route base on _raw values

Log File Monitoring for specific string, rotating log file names, server requirements

SNMP Indexing,

fschange blacklist

Next debug steps for Windows file monitor input?

Set Current only for all in WMI.conf?

rewrite _raw from universal forwarder not working...

How can one get the host and source IP addresses in the event logs instead of hostname ?

Creating index centrally

universalfowarder syslog receive and send

Looping through a Macro using a csv lookup?

how to sett forwarers to index on path and file name

Does maxVolumeDataSizeMB in indexes.conf do anything?

Error installing any app

Props/transforms rewrite of _raw is adding a blank event

Charset Encoding

Choosing the correct timestamp

Can I run multiple Universal Forwarders on Windows Server 2008?

universal forwarder

Filtering and sending only specific data

Segregation of incoming data

Indexing content that may contain in-line gzip

Why won't Splunk re-index my data?

Major discrepancy between per_sourcetype_thruput and tcpin_connections - which is right?

warning and violations, how to reduce my indexed volume ?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk Answers Content Calendar May 2025 🎉

Solaris UFs have different build hash than others

Edge Processor Destination not showing up in Pipel...

ERROR: Tor IP are not updating in lookup

How to integrate SentinelOne Singularity Enterpris...

Getting Data In

Are you a member of the Splunk Community?

Discussions