I did extract Splunk logs from a different Splunk instance using curl export method with the following information in the csv format | table index, sourcetype, source, host, _raw I got nearly some 5GB data. Is there any way I can import this data in another Splunk instance's HF so that the data get auto aligned to the right index, sourcetype, source and host? Currently, I am trying the add data from the console which allows 500mb but it request manually choose the sourcetype, index and other settings before importing.  ... View more

I am located in Australia/Sydney time zone and my Splunk is wrongly understanding timestamp sometimes. When logs are ingested into Splunk e.g. for today’s date 01/06/2021 is misunderstood by Splunk config as 06th of Jan 2021 instead of 1st of June 2021 for some log sources and this issue is happening every month for the first few days. Majority of my hosts are ingested as 6th of Jan 2021 instead of 1st of June but not all the hosts. I checked the settings for each of the sourcetype and most of them doesn't have any specific setting on time zone or how to read the time stamp. So far the time stamp issue is happening in the first few days of the month and then its auto corrects the new logs by Sydney time zone. How can I declare the setting globally to ensure all the logs align with the right time zone? ... View more

Our Splunk architecture is like Two HFs pointing to Two internal Indexers and Two external Indexers. Internal Indexers have different data and external indexers have different data (these indexers also receive data from other external HFs too) and HF's route the data correctly into the respective indexers. We had a situation with fail over script which removed the outputs.conf file in both the HFs which resulted indexing the data locally into the HF and able to search this data in HFs but didn't go to indexers to search from search heads. After we putting back the outputs.conf file the new data is going into the right indexers as intended but the data between is indexed into HF and lost in the indexers. How can I re-ingest this data that's indexed in the HF into the indexers using the correct config. I tried renaming the fish buckets folder and checked if that re-ingests the data but it only ingested small amount of data not everything. I can still see data in my HF under $Splunk_home/var/lib/splunk/<index_name>/db/_raw  What's the best way to re-ingest this data without manually moving the files into the indexers. Thanks ... View more

I have the following inputs.conf in the UF for Splunk_TA_windows. My intension is to send a copy of logs into two different indexers, I am aware of license re-use but I am ok with that. With the below config some logs are going to one index and other logs are going to other index. When I compare the logs in index wineventlog and testsys they are not identical, the logs that I see in wineventlog are different and testsys are different. Looks like some are pushed to one index while other are pushed to    ###### Windows OS Logs ############## [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = testsys renderXml = false [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog renderXml = false [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" index = testsys renderXml = false [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" index = wineventlog renderXml = false [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = testsys renderXml = false [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog renderXml = false [WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational] disabled = 0 ... View more

I have Splunk in the below design One HF to two sperate indexers that are not clustered.  I have UF installed on my workstation and UF is sending logs to the HF. HF has data inputs set to all types of windows logs to an index to windows and this is going to indexer A but data not going to indexer B. My outputs.conf in the UF is like [tcpout] useACK = true maxQueueSize = auto readTimeout = 300 [tcpout:abchf] server = 10.20.30.40:9997 compressed = TRUE sslRootCAPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test sslCertPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test sslPassword = Password sslVerifyServerCert = true sslCommonNameToCheck = google.com In the indexer A I can see the data is ingested but in the indexer B I cannot see the data. As I mentioned earlier indexer A and indexer B are not clustered indexers. ... View more