I’m using Splunk Enterprise 9 with Universal Forwarder 9 on Windows. I'd like to monitor several structured log files but only ingest specific lines from these files (basically each line begins with a well-defined string so easy to create matching regular expression or simple match against it). I’m wondering where this can be achieved? Q: Can the UF do this natively or do I need to monitor the file as a whole then drop certain lines at the indexer? ... View more

I'm using Splunk Enterprise 9.x  with Universal Forwarders 9.x on Windows 2019. All my forwarders are connected to a deployment server. I notice the following for example: I update a deployment server app (say update inputs.conf with a new input stanza) I restart the deployment server I view the inputs at the forwarder using btool and see that my changes have propagated However, even though the updated inputs.conf file seems to have landed at the forwarder I do not see the events defined by my new inputs.conf hitting the indexer until I restart the forwarder. Perhaps this is expected based on this When to restart Splunk Enterprise after a configuration file change - Splunk Documentation ? Is this expected and if so is there any way to restart the forwarder remotely using Splunk itself?  ... View more

Using Splunk Enterprise 9. I'm trying to populate a dashboard studio dropdown input from query results. I was testing via a simple query (copied from the dashboard studio examples) as follows:   | inputlookup firewall_example.csv | stats count by host   This works fine and the dropdown gets populated with the hosts. However, I'd also expected the following to to work    | inputlookup firewall_example.csv | stats values(host)   but it doesn't and no dynamic entries are in the dropdown.  So my understanding of the query types that can be used with dropdown inputs is incomplete! Can someone point me in the right direction?      ... View more

I have a Splunk 9.0.4 estate on Windows 2019 with the following: Search head 2 x indexers Cluster master/deployment server I'm trying to automate all deployments of apps to forwarders and all configuration on indexers (transforms/prop.conf) etc.  For the apps that go to the universal forwarders this has been straightforward and I simply add them to deployment server and they push out. What I am not clear on is how I might manage pushing out configuration to my indexers in centralised controlled manner. For example, say I have an app that has a component that needs to be pushed to the forwarder to gather events but then a prop.conf modification to increase the TRUNCATE size. How can I do this centrally?  PS: Apologies if this is somewhat of a noob questions! I'm a long term Splunk tinkerer but I only dip into it when my role necessitates it.  ... View more