Getting Data In

Ask a Question

Discussions

Thread Info

How to write props.conf to extract an epoch time as timestamp from events?

I have a epoch time in my events: timestamp=1478787869121. How to write props.conf to extract this timestamp?

by Contributor in

Struggling with inputs.conf and conflicting rules

Hi, I'm struggling with an issue involving my old nemesis, inputs.conf rules :-). In this case, we have a catch-al...

by Builder in

How to send data to indexer and pulling config data from deployment server using forwarder ports?

We will be installing the forwarder onto our domain controllers in DMZ. Question, can we hardwire a port on the DC...

by Contributor in

Is there a way to use an external list file to whitelist or blacklist hosts in serverclass.conf?

Is there a way to use external lists with whitelist filtering? For example if I had systems A and B with several host...

by Explorer in

Why is my timestamp date format changing from dd/mm/yyyy to mm/dd/yyyy?

Hi, I'm using Splunk Enterprise 6.5.0 with Universal forwarders 6.5.0 for some years now to index log files from ....

by Engager in

How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

Hello, I am trying to onboard an ActiveRoles server, however it doesn't seem that I'm configuring my inputs.conf ...

by Path Finder in

How to add new fields in indexing time depending on condition

Hello All, Is this possible in Splunk where we can add new fields and there value will depends on condition? in tr...

by Communicator in

Will Splunk ingest a TAR file with a .diag extension?

Hi, I know Splunk will injest a TAR (and other types) file, my question is what if the file extension is NOT *.tar...

by Motivator in

Retirement policy of fishbucket on the universal forwarder

Hello, I want to know a retirement policy of the fishbucket on the universal forwarder for a disk sizing. The d...

by Path Finder in

assigning read permission for the log file on Linux

We need to monitor a log file on linux with the splunk forwarder(splunk user account which is local). Log file is own...

by Path Finder in

running permissions for splunk user of forwarder on linux and solaris

Hi I have some universal forwaders installed on linux (suse) and solaris. I have a user "splunk" to log to thos...

by Communicator in

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

I'm trying to install Splunk Universal Forwarder on Red Hat OS. I am getting stuck at this step. Before this command,...

by New Member in

Will splunk reindex the same file with new data if the file was overwritten?

Hi, What will splunk behave like in the two following cases: 1) File A.log, having the lines: 1 2 3 Someone overwr...

by Explorer in

tcp_routing route every thing?

i am test '_tcp_routing' in my virtual machines, before doing that on online system. simply i add: [monitor://afile] ...

by Contributor in

How to find lost logs from universal forwarder?

Hi, I've a universal forwarder on a Linux machine that forwards Security Onion logs to my Splunk instance. Logs...

by Path Finder in

split url and perform a count on it.

You'll have to pardon the newbie question. I'm sure this is crazy easy, but I'm having the worst time figuring it out...

by Engager in

How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?

One of the new features in Splunk 6.0+ is the capability of a forwarder assigning a timezone to an event in the situa...

by SplunkTrust in

How to edit props.conf so Splunk will recognize a month's time format when the month is in all caps?

Seeking help with TIME_FORMAT in props.conf. I'm trying to get Splunk to recognize a time format in the form of "...

by New Member in

Is it possible to use regular expressions and wildcard in the monitoring stanza of inputs.conf?

In inputs.conf for monitor stanza, can we write regex? If so, /opt/splunk/cgate* matches (/opt/splunk/cgateee) o...

by Contributor in

How to edit my props.conf to make sure CSV file data gets indexed?

Hi, I am using below props file for CSV but data is not getting indexed or sent into Splunk. Need help in updating pr...

by Explorer in

How to build a regular expression in order to mask password text in props.conf?

I have the following string in the events and I would like to mask the password text using sedcmd. Content={"Login...

by Explorer in

What is the procedure to monitor changes to file content?

Hi, What is the procedure to monitor changes to file content? As per knowledge we can add some parameters to props...

by New Member in

Why is my Splunk Forwarder showing up as "$COMPUTERNAME"?

I used the variable "$COMPUTERNAME" in my app's inputs.conf file. For all the PCs that got it, it's reporting their c...

by Builder in

How to update props.conf to extract timestamp from my sample data?

Please help me with props.conf file i have sample data below i want to extract time stamp from the below sample data....

by Communicator in

Does INDEXED_EXTRACTIONS work for Active Directory

Hi, I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported...

by Champion in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How to write props.conf to extract an epoch time as timestamp from events?

Struggling with inputs.conf and conflicting rules

How to send data to indexer and pulling config data from deployment server using forwarder ports?

Is there a way to use an external list file to whitelist or blacklist hosts in serverclass.conf?

Why is my timestamp date format changing from dd/mm/yyyy to mm/dd/yyyy?

How to name monitoring stanza in inputs.conf to pick up Windows Applications and Services Logs?

How to add new fields in indexing time depending on condition

Will Splunk ingest a TAR file with a .diag extension?

Retirement policy of fishbucket on the universal forwarder

assigning read permission for the log file on Linux

running permissions for splunk user of forwarder on linux and solaris

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

Will splunk reindex the same file with new data if the file was overwritten?

tcp_routing route every thing?

How to find lost logs from universal forwarder?

split url and perform a count on it.

How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?

How to edit props.conf so Splunk will recognize a month's time format when the month is in all caps?

Is it possible to use regular expressions and wildcard in the monitoring stanza of inputs.conf?

How to edit my props.conf to make sure CSV file data gets indexed?

How to build a regular expression in order to mask password text in props.conf?

What is the procedure to monitor changes to file content?

Why is my Splunk Forwarder showing up as "$COMPUTERNAME"?

How to update props.conf to extract timestamp from my sample data?

Does INDEXED_EXTRACTIONS work for Active Directory

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

No such file or directory: 'java' adding JMX acco...

WARN SSLCommon [53742 FwdDataReceiverThread] - Re...

Configuring Splunk OTel Collector for Linux/Window...

Upload failed with ERROR: Read Timeout

DB Connect SQL Procedures