Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tbarn005
tbarn005
Engager
Member since:
12-02-2024
07-16-2025
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-02-2024 |
Activity Feed
- Posted Re: Splunk Ingest Actions on Getting Data In. 07-16-2025 08:49 AM
- Posted Re: Splunk Ingest Actions on Getting Data In. 07-15-2025 11:49 AM
- Posted Re: Splunk Ingest Actions on Getting Data In. 07-15-2025 11:36 AM
- Posted Splunk Ingest Actions on Getting Data In. 07-10-2025 02:12 PM
- Posted Re: Splunk Deployment App Filtering SharePoint Logs on Getting Data In. 07-10-2025 07:56 AM
- Posted Re: Splunk Deployment App Filtering SharePoint Logs on Getting Data In. 07-03-2025 01:47 PM
- Posted Splunk Deployment App Filtering SharePoint Logs on Getting Data In. 07-03-2025 01:08 PM
- Posted splunk admin password not resetting on Splunk Enterprise. 04-16-2025 01:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-16-2025
08:49 AM
To clarify, we’re running a single Splunk instance where the Deployment Server, Indexer, and Search head all reside on the same server so it’s a non-distributed architecture. When I mentioned “deployment,” I was referring both to our overall Splunk setup and the fact that our Deployment Server shares the same host as the Indexer. We have only one indexer, no clustering, and no heavy forwarders (HFs) in use. However, we do have universal forwarders (UFs) installed on various servers, and they’re configured to send data directly to the indexer. Regarding Ingest Actions (IA), I’ve configured one rule locally on the indexer to drop data from the source type PerfmonMK:CPU. The rule uses a regex filter (^PerfmonMk:CPU$) with a drop action. IA rules are applied only on the indexer.
... View more
07-15-2025
11:49 AM
Yes, this is one of the first things i've found when searching and i reset that password on both the indexer and my forwarders and still nothing
... View more
07-15-2025
11:36 AM
So we have a single search head here. I should mention that our deployment and indexer are on the same server. I am aware that best practices is to separate them. Do you think this could be it? As far as how i've configured Ingest actions I only have one rule now to drop all PerfmonMk:CPU > filter using regex > "^PerfmonMk:CPU$" it does not seem to be dropping the data
... View more
07-10-2025
02:12 PM
Trying to filter out all perfmon data using ingest actions. so, i try and see the samples and i get this error I checked to see if my forwarders have the same pass4SymmKey and they did. I am not sure what to do im checking now to ensure the FW isnt blocking communication but i think that is unlikely. I can see the servers in forwarder management picking up the deployment apps from the indexer. anyone have any ideas??
... View more
Labels
- Labels:
-
data
-
indexer
-
other
-
universal forwarder
07-10-2025
07:56 AM
Sorry about the week late reply but that does not seem to work. I am still getting logs that i dont need i just disabled ingestion from that folder location. Does splunk have any app that would filter data easier than creating the transforms and props.conf files?
... View more
07-03-2025
01:47 PM
I may have misspoken i want to reduce the storage usage on my indexer. I have a SharePoint server that has Splunk UF on it and its ingesting unnecessary data that is eating a lot of storage on my indexer. The screen shots come from my indexer. Im doing a bit of research now and it looks as if i can use the ingest actions to possibly filter out some of that unnecessary data from that sharepoint UF?
... View more
07-03-2025
01:08 PM
Hi Splunk Community, I’m trying to reduce disk space usage on my Splunk Universal Forwarder by filtering out unnecessary SharePoint logs and only forwarding those with a severity of High, error, or warning in the message I created a deployment app named SharePoint. here is what's in that folder: I attempted to create a props and transforms.conf files to filter out the data that was unnecessary. i only need to see the log files in the dir that have certain key words not all of those logs here is what i wrote in the files. I didn't write the regex myself i found something similar to it online somewhere and tried to make it work for my environment After deploying this i now do not see any of my SharePoint logs indexed at all for this specific server even the ones with high. As you can see from the logs i even pointed them at a test index that i made so i should be seeing them I'm not sure what's going on.
... View more
Labels
- Labels:
-
index
-
indexer
-
source
-
sourcetype
-
universal forwarder
04-16-2025
01:08 PM
Hello, all i am fairly new to the Splunk community and I'm attempting to reset my Splunk admin password and for whatever reason it does not work i go and delete the "etc/passwd" and restart my Splunk instance and attempt to login to the web interface, but it never prompts me for a reset. I have even tried commands to do it manually, but nothing works. Has anyone else had a problem like this?
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-16-2025
08:41 AM
|
