Getting Data In

Discussions

Thread Info

How do I add fields to incoming data?

Hi, I'm trying to load a CSV file using the universal forwarder, and there are no headers in the CSV file. How ca...

by Explorer in

Universal fowarder and WMI

I want to configure the universal fowarder to poll WMI data and forward it to my indexer. I understand that I need a ...

by Path Finder in

How do you parse and chart fields in a JSON array?

Hi, I have a log event where part of the log entry contains some JSON data similar to the following format: ...

by Explorer in

Parsing very long JSON lines

I am working with log lines of pure JSON (so no need to rex the lines - Splunk is correctly parsing and extracting al...

by Explorer in

What do I look at in splunkd.log to troubleshoot deployment client issues?

Hi Splunkers, I have a list of servers that have the Splunk UF running on them. These servers are not showing up i...

by Path Finder in

JSON Double Extraction

I've got an odd problem with JSON extracting twice. I've read the other posts on this and believe what I have should ...

by Path Finder in

How come event breaker based on timestamp works when uploading a file but not with source type props.conf?

Hi guys, I am trying to index a ProxySQL log file which looks like: ProxySQL LOG QUERY: thread_id="25" username...

by Path Finder in

How come our forwarder is not getting configuration from deployment server?

Hello Everyone, I have set up my own test environment where I have my deployment server (DS) on Windows with Splun...

by Path Finder in

transforms ,tsv input, taking each log entry and distributing it across days in that month

I'm not sure if it's possible. I know I can limit, and I know I can play some regex on the input. But has anyone done...

by Engager in

How do you make a search that checks two lookup tables and optimizes results?

Hello Splunk friends! I have two lookup tables. The first http_full (http_full.csv) looks like this: status,IP...

by Explorer in

Why is Inputlookup CSV truncating my data?

I use the inputlookup file.csv and the zeros on numbers are deleted ex. 00075 to 75, it also truncates some numbers e...

by New Member in

How can I correlate firewall traffic from two different timestamps

I want to get a list of traffic that has accessed the same site at two different times. All I know are the times: say...

by Explorer in

How do I ingest logs generated from Outlook thick client running on Windows 7?

We are specifically looking to Ingest logs generated from the Outlook client that will capture Outlook Rule and Folde...

by New Member in

How to correlate field values between an index and a lookup file?

Hi, I have a CSV ( current_assets.csv) with fields device_name and ip (and tons of values for them). Here is an e...

by Communicator in

JSON Parsing error

Setup Splunk monitoring to watch a directory. Files started coming in but with the timestamp not being parsed correct...

by Explorer in

Splunk docker image including an app

Hi, I'm new to Splunk. I got the docker image from https://hub.docker.com/r/splunk/splunk/ and it's working fine. ...

by New Member in

How do you event break in props.conf?

Hello, I am trying to break multiline events based on regex. but some events are not splitting properly. Events...

by Builder in

What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive?

What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive? Hello, Splu...

by Path Finder in

How to tell if Splunk universal forwarder performance is keeping up and sending all monitored data as expected?

Hi, I've been troubleshooting a problem where files are occasionally getting missed in Splunk. The app creates a l...

by Champion in

How to find matching and un-matching field values between an index and lookup file?

Hi, I have a CSV ( current_assets.csv) with fields device_name and ip (and tons of values for them). Here is an e...

by Communicator in

Splunk UF wineventlog monitoring is too slow

Hey, I have around 30 Splunk Universal Forwarders on my environment, monitoring the local Event Log (Windows Servers...

by Path Finder in

How do I find out what heavy forwarder a device is sending logs from?

We have a DMZ heavy forwarder (HF) that sends logs from the devices on the DMZ environment to our Splunk server. I ne...

by Communicator in

syslog udp drops in linux

Hi, Architecture: We have syslog-ng running in our infra. This syslog resides behind a LB This alerts come to...

by Explorer in

I have install splunk forwarder , but the splunk enterprise can't detect it

I have install splunk forwarder , but the splunk enterprise can't detect it. Both machine on the same subnet. I use I...

by Path Finder in

Extract full XML from Windows EventLog sent by UF

Hello all, I have some events like this which are forwarded to Splunk from UF <Event xmlns='http://schemas.microso...

by Path Finder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

How do I add fields to incoming data?

Universal fowarder and WMI

How do you parse and chart fields in a JSON array?

Parsing very long JSON lines

What do I look at in splunkd.log to troubleshoot deployment client issues?

JSON Double Extraction

How come event breaker based on timestamp works when uploading a file but not with source type props.conf?

How come our forwarder is not getting configuration from deployment server?

transforms ,tsv input, taking each log entry and distributing it across days in that month

How do you make a search that checks two lookup tables and optimizes results?

Why is Inputlookup CSV truncating my data?

How can I correlate firewall traffic from two different timestamps

How do I ingest logs generated from Outlook thick client running on Windows 7?

How to correlate field values between an index and a lookup file?

JSON Parsing error

Splunk docker image including an app

How do you event break in props.conf?

What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive?

How to tell if Splunk universal forwarder performance is keeping up and sending all monitored data as expected?

How to find matching and un-matching field values between an index and lookup file?

Splunk UF wineventlog monitoring is too slow

How do I find out what heavy forwarder a device is sending logs from?

syslog udp drops in linux

I have install splunk forwarder , but the splunk enterprise can't detect it

Extract full XML from Windows EventLog sent by UF

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Heavy forwarder HEC wouldn't accept events 1% of t...

Troubleshooting: SplunkHecExporter in otelcol-cont...

Tuning Configuration Event Hub in Microsoft Cloud ...

how do i validate new logging locations in splunk

How to access jira tickets beyond 100 in Splunk?