Getting Data In

Discussions

Thread Info

Can I linebreak indexed data that's not correctly linebroken?

I have seen manytime where Splunk didn't copped either multi or single line data correctly ending up with events that...

by Communicator in

How can I extract the DATE from the middle of an event?

I have an ISA web log of the following format. Splunk doesn't correctly identify the timestamp in every event, even t...

by Splunk Employee in

fschange creating event for each line of file.

I am trying to implement file integrity monitoring. I have configured fschange as follows: [fschange:/opt/bea/10_s...

by Explorer in

how do I change a host when seeing multiple hosts?

I see the same host in my Summary page in Search app with same event count. They are the same host but show up lik...

by Engager in

What's the limit of index count per indexer?

Hi everybody At the moment I've got about 170 indexes on my indexer. I What's the best practice limit of number...

by Contributor in

What is the purpose of the _s _st and _h indexed fields?

Can someone shed light on the purpose of the _s _st and _h indexed fields? These seem to correspond to source, source...

by Super Champion in

TIME_FORMAT and subseconds

What is the strptime-style %-variable that TIME_FORMAT would use for subseconds? The docs for props.conf suggest the ...

by SplunkTrust in

Agent vs Agentless event gathering on Windows

Regarding agent vs agentless data / event gatering, WMI (agentless) seems easier to setup from within Splunk to pull ...

by Splunk Employee in

How to take advantage of a multi-core indexer?

My indexer has a Intel Xeon X5570 which has four cores. http://ark.intel.com/Product.aspx?id=37111 How can I ma...

by SplunkTrust in

Who is forwarding data

How can I tell which servers in my enterprise are forwarding to the master server. We do automated installs of vm's a...

by Explorer in

Splunking my Checkpoint firewall logs

Can Splunk index events from my Checkpoint firewall logs? If so, how can I set that up?

by Splunk Employee in

Use the Deployment Manager to change Splunk Forwarding agent passwords?

Currently, all agents installed on hosts default to 'changeme' and this credential is still used when the forwarder i...

by Explorer in

Forwarded events are showing on CLI output during CLI search operation.

I had configured splunk forwarder and receiver in a Linux system as per the Admin manual. I tried searching the forwa...

by Engager in

index settings using "auto" - what is my bucket size?

We are on 4.05 and are using the default of memPoolMB = auto in indexes.conf. Is there a way I can find out what size...

by Path Finder in

If using the LWF, what do I need to enable to send syslog (udp) to a 3rd party system?

Referenced Doc: http://www.splunk.com/base/Documentation/4.1/Admin/Moreaboutforwarders I need to be able to send d...

by Path Finder in

I've set up a forwarder but I'm not receving any events on the splunk indexer.

I've verified that the indexer (receiver) is the same or later version of Splunk as the forwarder. What log or config...

by Splunk Employee in

Splunk 3.4.4 LWF doesn´t process data until logrotate happens. Why?

We have on four Linux SLES10_64 Servers Splunk 3.4.4. Forwarders installed. Usually our production logs produce a con...

by Contributor in

how do i segregate data from one splunk forwarder in a seperate index?

I have one splunk forwarder I need to segregate from other indexes. I have created its own index and I need to know h...

by Path Finder in

Too many license violations, how do I get searches working again?

Currently, when I try to run a search in Splunk, I get the following error message: "Error in 'UnifiedSearch': Yo...

by Communicator in

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Hello, i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one ...

by Contributor in

Getting Data In

Discussions

Can I linebreak indexed data that's not correctly linebroken?

How can I extract the DATE from the middle of an event?

fschange creating event for each line of file.

how do I change a host when seeing multiple hosts?

What's the limit of index count per indexer?

What is the purpose of the _s _st and _h indexed fields?

TIME_FORMAT and subseconds

Agent vs Agentless event gathering on Windows

How to take advantage of a multi-core indexer?

Who is forwarding data

Splunking my Checkpoint firewall logs

Use the Deployment Manager to change Splunk Forwarding agent passwords?

Forwarded events are showing on CLI output during CLI search operation.

index settings using "auto" - what is my bucket size?

If using the LWF, what do I need to enable to send syslog (udp) to a 3rd party system?

I've set up a forwarder but I'm not receving any events on the splunk indexer.

Splunk 3.4.4 LWF doesn´t process data until logrotate happens. Why?

how do i segregate data from one splunk forwarder in a seperate index?

Too many license violations, how do I get searches working again?

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Best of Community @.conf20
Humans That Splunk: Meet Abhishek...
Humans That Splunk: Meet Guiseppe...

Visit our Community Blog >

Microsoft Log Analytics Add-On - Optimize Inputs

Heavy Forwarded Filtering Hosts

Normalizing imported .evtx files with Splunk Windo...

Creating .Net WCF service and consuming it in Splu...

Crowdstrike Stream Stops Woking