Should I use a heavy forwarder or indexer for this scenario?
Greetings, I'm trying to figure out if there is an advantage to having a heavy forwarder over just an indexer in the following scenario: - All of the infrastructure is virtual and is on the same...
View ArticleHow to filter XML in Heavy Forwarder
Hi Everyone, Apologies for my post here since I am unable to post a new one question adding in this. I have tough time to filter the data from my incoming xml in Heavy Forwarder and sending to Indexer....
View ArticleCan an intermediate Heavy Forwarder forward data to a third party system...
Can I forward data from the universal forwarders using an intermediate heavy weight forwarder to a third-party system without indexing? If so, how exactly would I achieve this? Thanks :)
View ArticleHeavy forwarder with 2nics not communicating on 8089
I have a heavy forwarder running 6.4.1 on CentOS 7 with 2 nics on seperate subnets (data and mgt) that won't communicate on port 8089. In a netstat I can see that 8089 is listening but no comms. When I...
View ArticleWhy am I getting timeout issues from Splunk forwarders to the intermediate...
I have a random time out issue from Splunk forwarders to the Splunk intermediate (heavy) forwarder. When I do `netstat -al | grep 9997`, I get: splunkndx-9997 SYN_SENT splunkndx-9997 FIN_WAIT1 from...
View ArticleWill the HTTP Event Collector respond with any error if it can't keep up with...
I am planning to use HEC on heavy forwarder(s) which will forward to the indexer(s). My question: Is HEC designed to return any error(s) to the sender if it can't keep up with volume of input? Does...
View ArticleHow to forward data to a remote app from a Splunk instance that is currently...
We have a well established Splunk app on an instance which is serving as a Search Head and an Indexer. However, there are some data there which needs to be forwarded to some other site, which hosts a...
View ArticleHow to send all received traffic on a specific port from Heavy Forwarders to...
**Environment:** 2x heavy forwarders (6.4.1) in a load balanced pool (sitting behind haproxy) and using indexer_discovery 1x cluster master, 3x indexer peers 2x search heads **Question:** I am...
View ArticleIs a Splunk heavy forwarder able to keep track of non indexed file size?
Hello Team, I have heavy forwarder where am filtering 1GB file to 4MB and indexing, and now I want to get the actual file size in my search that is 1GB. Is this possible in Splunk? If yes, how? Note: I...
View ArticleSplunk Add-on for VMware: Why is the VMware Collection Scheduler exiting...
Hi @all, We have a Splunk environment with one indexer and two DCNs (heavy forwarder) with version 6.2 installed. One DCN is used for collecting Netapp data, the other one for VMware. On the search...
View ArticleHow to filter and split from a Heavy forwarder to a 3rd party (Hadoop) and...
Use Case: Docker -> Intermediate Heavy Forwarder -> Indexer -> SearchHead --------------------------------------------------V -> Hadoop -> Hunk ^ Steps: 1. Pipe Docker logs to...
View ArticleIs it normal to have both sourcetype UDP:514 and sourcetype syslog?
Hello, My colleague configured 1 heavy forwarder and I configured the other 2. In my Splunk, I see both sourcetype UDP:514 and sourcetype syslog. Is this normal, or did we set different sourcetypes...
View ArticleAfter setting up the HTTP Event Collector on a heavy forwarder, why am I...
Hi, I was able to get the HEC up and running on a HFW, but now when I submit an event, I get "token is required", even though I'm passing a token. curl -k...
View ArticleRunning the Splunk App for AWS in a tiered environment, why does it only list...
Hi folks. We are attempting to configure the Splunk App for AWS. The documentation for the app recommends running it on a Heavy Forwarder, but we are unsure how to get captured events stored in the...
View ArticleDirecting incoming data from heavy forwarder to index by host name
Hi, I have data coming in from multiple hosts using either syslog, or a universal forwarder, going into 3 heavy forwarders, and then forwarding to SplunkCloud. I've created 3 indexes - Financial,...
View ArticleWhy are universal forwarders reporting "Error in SSL_read = 10054" trying to...
Hi, We have a Splunk cluster where we have 1400 hosts with Universal Forwarders installed. These UFs are forwarding to two intermediate Heavy Forwarders using SSL and load balancing. The hosts aren't...
View ArticleWhen setting up a heavy forwarder, do I need to create an index locally as I...
When setting up a Heavy forwarder, do I need to have the index created locally as I do in my indexer cluster? So I am setting up Splunk DB Connect and McAfee and have configured the Splunk server to be...
View ArticleSplunk Add-on for Microsoft Windows: How can I set separate indexes by host...
Hi, I have 3 heavy forwarders which are receiving Windows event logs using the Splunk Add-on for Microsoft Windows. This feeds into Splunk Cloud. Currently all logs are going into 'wineventlog". How...
View ArticleHow to direct incoming data from heavy forwarder to index by host name?
Hi, I have data coming in from multiple hosts using either syslog, or a universal forwarder, going into 3 heavy forwarders, and then forwarding to SplunkCloud. I've created 3 indexes - Financial,...
View ArticleIntegrating McAfee ePO with Splunk, do we install Splunk DB Connect on the...
Hi , We are integrating McAfee ePO with Splunk where we require Splunk DB Connect to be installed. Went through the docs and found that DB Connect can be installed at the Search Head or Heavy...
View Article