I am sending IIS logs to SplunkCloud.  My inputs.conf looks like this:   [monitor://C:\inetpub\logs\LogFiles\W3SVC1] ignoreOlderThan = 7d sourcetype = web_log initCrcLength = 400 [monitor://C:\inetpub\wwwroot\merge\requestlogs\...\*.csv] ignoreOlderThan = 7d sourcetype = csv_webrequest crcSalt = <string> recursive = true initCrcLength = 400   It will work fine for a while, with SplunkCloud getting our data every second reliably as logs update.   The next day it will stop working, with log ingest slowing to a trickle: a few lines every few minutes. Restarting the forwarder occasionally works.  Making a different change can work (changing the initCrcLength, adding or removing crcSalt, adding or removing alwaysOpenFile) but nothing works for more than a day or so.   Does anyone have any suggestions? Thanks in advance. ... View more

We've got Splunk_TA_Windows installed on a number of our servers sending data to our Splunk Cloud instance. However, there is far too much WinEventLog data being sent, pushing us to the limits of our ingest volume. What are best practices to lower this volume. I've already updated the props.conf file with the recommendations from the app installation and we've made adjustments to winnetmon to lower that volume. Are there any other best practices out there? We don't want to just disable it entirely. ... View more

I'm trying to get both JSON and syslog information from our firewall into Splunk Cloud using universal forwarder.   So far I've gotten the JSON in by getting splunk to listen to port 514, forward that to the index, and then adding it using  splunk add udp 514 -sourcetype JSON However, now I want to add the syslog information as well, which comes over the same port.  When I attempt to add that I get an error: splunk add udp 514 -sourcetype syslog Parameter name: UDP port 514 is not available. How do I get the splunk index to read both from the same port? ... View more