Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About vjdev
vjdev
Explorer
Member since:
09-12-2025
3 weeks ago
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 09-12-2025 |
Activity Feed
- Posted Re: cgroup error when Splunk Universal Forwarder v9.4.4 is installed on Splunk Enterprise. 3 weeks ago
- Posted Re: Log ingestion delay on Splunk Enterprise Security. 3 weeks ago
- Posted Re: Regex works but transforms.conf extracts only part of the last field on Getting Data In. 4 weeks ago
- Posted Re: Cannot get logs from specific source to seperate by line on Getting Data In. 09-14-2025 11:27 PM
- Posted Re: I wanna forward all data from a single hf to 2 diffenrent splunk instances on Getting Data In. 09-14-2025 07:17 AM
- Posted Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding? on Getting Data In. 09-14-2025 07:02 AM
- Got Karma for Re: sc4s app_parsers don't seem to work. 09-14-2025 07:00 AM
- Got Karma for Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding?. 09-14-2025 06:59 AM
- Posted Re: Are there any ways to whitelist specific fields from json format logs during data-onboarding? on Getting Data In. 09-14-2025 04:00 AM
- Posted Re: sc4s app_parsers don't seem to work on Getting Data In. 09-14-2025 12:25 AM
- Posted Re: How to ingest data from VMWare ESXI host on All Apps and Add-ons. 09-12-2025 10:46 AM
Topics I've Started
No posts to display.
3 weeks ago
Hello, Try restart, if you have not done [SELINUX settings to apply]> [/usr/lib/systemd/system/SplunkForwarder.service] OR [/etc/systemd/system/SplunkForwarder.service] [Service] MemoryLimit=16542720000 [16 GB In Byte | modify as per your system memory ] sudo systemctl daemon-reload sudo systemctl restart SplunkForwarder Thank You!
... View more
3 weeks ago
Hello, Confirm the below, 1. No issues with Network bandwidth [QOS] 2. Splunk Syslog/Syslog-NG/rsyslog which one are you using? 3. View the data with packet capturing, monitor the timestamp in the data.
... View more
4 weeks ago
Hello, Did you make the entry for the srv and ver fields in fields.conf? Thank You!
... View more
09-14-2025
11:27 PM
Hello, TRY BELOW: INDEXED_EXTRACTIONS=JSON KV_MODE=none SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TIME_PREFIX=\"time\"\:\" TIME_FORMAT=%Y-%m-%dT%T MAX_TIMESTAMP_LOOKAHEAD=21 Thank You!
... View more
09-14-2025
07:17 AM
Hello, Try Ingest action, if you want to process [mask/filter] the data. Use Route to Destination Rule. Else go with multiple target in outputs.conf [tcpout] defaultGroup=cloned_group1,cloned_group2 [tcpout:cloned_group1] server=10.10.10.1:9997, 10.10.10.2:9997, 10.10.10.3:9997 [tcpout:cloned_group2] server=10.1.1.197:9997, 10.1.1.198:9997, 10.1.1.199:9997, 10.1.1.200:9997 Thank You!
... View more
09-14-2025
07:02 AM
Hello, Mask using regex , Filter using regex and EVAL can be achievable. This can help you lot. https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-data-in-forwarding-and-preprocessing/ingest-actions-for-splunk-platform Mask, redact, remove, or otherwise change raw data before indexing Tag, add, lookup, or otherwise augment raw data before indexing Thank You!
... View more
09-14-2025
04:00 AM
1 Karma
Hello, Hope below example help for you! 1st Option Transform. [session-anonymizer] REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$ FORMAT = $1SessionId=########$2 DEST_KEY = _raw 2nd option is Ingest actions. If both not helpful, explain more about the requirement . Thank you!
... View more
09-14-2025
12:25 AM
1 Karma
Hello, I have another option. If you can... try this one. https://splunkbase.splunk.com/app/7404 Thank You!
... View more
09-12-2025
10:46 AM
Hello maheshnc, If you use HF to receive syslog, it will receive the log, process it, and store it in the indexers. It wouldn't store in HF. To archive it, Settings → Data Inputs. Find the TCP and/or UDP input options under Network data. Add new for TCP or UDP. Choose the port you want to use. Assign a sourcetype. Choose or define the index. Optionally set host settings. Else, if you want to use UF, set up syslog-ng and store the logs in files and read them using UF by setting up inputs.conf. Difference: UF does not do full parsing, routing based on event content. Transformation/filters that require deep processing. It usually has minimal functionality.It is a lightweight component. HF is a full Splunk Enterprise install that is used as a forwarder. Indexing is typically disabled (or you configure it so it doesn’t index locally) when being used as HF. It can parse, filter, route, transform and mask/anonymize events before forwarding. Thank you!
... View more
