×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
tawm_12
Engager
Member since: ‎12-02-2024
‎08-11-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎12-02-2024
View All

Ingesting application logs from Docker container i...

by in Getting Data In
‎04-02-2025 06:28 PM
‎04-02-2025 06:28 PM
Hi everyone, I'm seeking advice on the best way to send application logs from our client's Docker containers into a Splunk Cloud instance, and I’d appreciate your input and experiences. Currently, my leading approach involves using Docker’s "Splunk logging driver" to forward data via the HEC. However, my understanding is that this method primarily sends container-level data rather than detailed application logs. Another method I came across involves deploying Splunk's Docker image to create a standalone Enterprise container alongside the Universal Forwarder. The idea here is to set up monitors in the forwarder's inputs.conf to send data to the Enterprise instance and then route it via a Heavy Forwarder to Splunk Cloud. Has anyone successfully implemented either of these approaches—or perhaps a different method—to ingest application logs from Docker containers into Splunk Cloud? Any insights, tips, or shared experiences would be greatly appreciated. Thanks in advance for your help! Cheers, ... View more

Re: Info from index=_internal does not match CMC i...

by in Monitoring Splunk
‎12-03-2024 08:15 AM
‎12-03-2024 08:15 AM
This info actually matches the data from the CMC, the only issue I have is that you can't group the volume by index (although I can group by splunk_server/indexer). ... View more

Info from index=_internal does not match CMC inges...

by in Monitoring Splunk
‎12-02-2024 04:08 PM
‎12-02-2024 04:08 PM
Hello, dear Splunk Community. I am trying to extract the ingest volume from our client's search head, but I noticed that I am getting different results depending on which method I am using. For example, if a run the following query: index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | eval GB=round(b/1024/1024/1024, 3) | timechart sum(GB) as Volume span=1d     I get the following table: _time Volume 2024-11-25 240.489 2024-11-26 727.444 2024-11-27 751.526 2024-11-28 777.469 2024-11-29 727.366 2024-11-30 724.419 2024-12-01 787.632 2024-12-02 587.710   On the other hand, when I got to Apps > CMC > License usage > Ingest, and fetch the data for "last 7 days" (same as above) I get the following table: _time GB 2024-11-25 851.012 2024-11-26 877.134 2024-11-27 872.973 2024-11-28 949.041 2024-11-29 939.627 2024-11-30 835.154 2024-12-01 955.316 2024-12-02 963.486   As you can see, there is a considerable mismatch between both results. So here's where I'm at a crossroad because I don't know which one should I trust. Based on previous topics, I notice the above query has been recommended before, even in posts from 2024. I don't know if this is related to my user not having the appropriate capabilities or whatnot, but any insights about this issue are greatly appreciated. Cheers, everyone. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-11-2025 07:45 PM
Karma given to