How to trace or tag events to know which specific Heavy Forwarder the events...
We've got more than a dozen Heavy Forwarders (HF) that are behind a pair of load balancers that handle all our system log (syslog) traffic. Is there any way to trace back or tag the events to know...
View ArticleSplunk_TA_Windows and non-standard index
Hi! I have several windows hosts with the Universal Forwarder and Splunk_TA_Windows installed. they are feeding into a heavy forwarder and being forwarded to SplunkCloud. My Windows event logs from...
View ArticleCan you configure the Universal Forwarder on NIX (syslog) to send some logs...
We have a syslog server where there are many logs going to the indexer. Can we configure the Linux Universal Forwarder to send some files to the indexer and others to the Heavy Forwarder to be post...
View ArticleHow Data cloning can be done through a heavy forwarder?
I have a test environment(search head) in which there aren't any events. Now I want to do some data cloning and get some dummy events to my Testing search head. For that I'm thinking of getting those...
View ArticleHow to prefix forwarded log messages with a syslog header when sending to a...
I'm trying to forward a subset of log messages (/var/log/secure and windows security events) from a heavy forward to a syslog-ng server which is listening over TLS. I've got this working for `syslog`...
View ArticleHow can I route data to specific indexers using a heavy forwarder?
I have a universal forwarder that sends 2 source types to heavy forwarder successfully. i need this heavy forwarder to route the received source types between 2 indexers. My configurations on heavy...
View ArticleProblem with Indexer Discovery: Receiving "ERROR...
Hi, We have index clustering working fine. We have several heavy forwarders configured successfully with indexer discovery. However, when I go to add another new forwarder, I get the issue below. My...
View ArticleProblem: Unable to send cooked data to two different Indexer ports
Hello Experts, I have an issue where I am unable to send cooked data to two different Indexer ports. My flow of traffic is UF > HF > IDX UF IP: a.a.a.a HF IP: y.y.y.y IDX IP: x.x.x.x 1) Universal...
View ArticleForwarding of data dies
Have about 1000 UFs that not getting data that is searchable They are throwing the error: 10-05-2016 14:54:05.162 +0000 INFO TailReader - Could not send data to output queue (parsingQueue), retrying......
View ArticleIs it possible to combine the two functionalities of Indexing and Heavy...
Guys, I currently have Splunk Enterprise 6.5.0 Free running on a W2k8 R2 host and Universal Forwarders (Windows host) and direct syslog (unix host) feeding log data into it fine. i am working here on...
View ArticleWhy would a universal forwarder be needed if it is unable to restrict or...
Hi Experts, Please clarify my doubts regarding the Universal Forwarder: 1) Is installing the UF on 60 machines (mix of Linux/Windows) a good option or is pulling data (like remote data) a better...
View ArticleMissing Source IP address when logs are forwarded to third-party from our...
Hi, We are forwarding some of our logs from Splunk to a third party IBM Qradar environment. The third party is not able to see the actual source IP address of the logs - they only see our heavy...
View ArticleWill a 6.5.0 Heavy Forwarder work with a 6.3.0.1 indexer cluster?
Does anyone know if the 6.5.0 Heavy Forwarder would work with a 6.3.0.1 Indexer Cluster? Any incompatibilities or issues I should be aware of?
View ArticleIs there a way to trigger an alert in Splunk Cloud to send something to my...
I have a request for an alert in Splunk Cloud to run a script whenever triggered. The issue is that due to networking rules, I cannot open up the firewall from SC to my device that needs the script. I...
View ArticleForwarding text file to destination TCP or syslog server
Requirement: Have a log file that is always appended with data. I wish to send the log file details as it is appended, to a destination server which is either run as a typical TCP server or a syslog...
View ArticleMy heavy forwarder running Splunk Add-on for Check Point OPSEC LEA lost...
I just noticed that a heavy forwarder which runs Splunk Add-on for Check Point OPSEC LEA lost connection with Check Point SmartDashboard recently. I disabled and re-enabled connections and this didn't...
View ArticleHow to forward data to both third party and indexer servers without...
I am fairly new to Splunk. The company I work for already has Splunk universal forwarders installed on servers to pull log content out to Splunk servers to index. Now we would like to forward the same...
View ArticleRedirecting data through two heavy forwarders, is it possible to reprocess...
All, I have data flowing through a heavy forwarder. Security wants a SECOND heavy forwarder that they manage to SEDCMD out certain PII. Is it possible to reprocess already cooked data?
View ArticleIs there a way to get a list of heavy forwarders via rest?
Hi, Is there a way to get a list of heavy forwarders via REST? We are creating our own HFW health page, since the DMC doesn't support it.
View ArticleCisco eStreamer for Splunk: How to troubleshoot error in which eStreamer logs...
Hi I am using eStreamer app in Splunk, I am unable to get streamer logs displayed on Splunk Search Head. We are utilizing a heavy forwarder server to dump the streamer logs onto 'log' folder on this...
View Article