Forwarding events to specific index on chained installation with Universal...
**Greetings!** Is it possible to define index=myindex only on Heavy Forwarder to forward events from Universal Forwarder without having index=myindex definition on source system? Like: **Source file**...
View ArticleWhy is our third party logstash only receiving half of logs forwarded from...
Hi Team, We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks like third party receiving receiving only 50% of logs although we are forwarding all logs....
View ArticleWhy is TCP data not being indexed?
Hi, I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf: [tcp://:1918] index = istr_security sourcetype = bcoat_proxysg...
View ArticleHow to configure Splunk App for Jenkins for a Heavy Forwarder to Splunk Cloud?
We have a number of separate environments each of which has Jenkins servers and a Splunk Heavy Forwarder that is sending events to Splunk Cloud. The docs don't mentioned HTTP token creation and there...
View ArticleSplunk DB Connect: Why are we receiving errors when configuring resource...
We are trying to get resource pool working on Splunk DB Connect 2.3.1 but are getting errors. Have followed the setup documentation. Have 2 servers running DBX 2.3.1 (one is to be a master node and the...
View ArticleHow to set up a heavy forwarder in a non-production indexer clustering...
I was wondering what everyone was doing when needing a Heavy Forwarder in a clustered lower (non-production) environment. I currently have a user that wants to utilize the SPLUNK4JMX application. I did...
View ArticleHow create an event filter to send an original event to the indexers and a...
We are trying to filter and modify events and have both original and modified event. The original event would go to the indexers and the modified event needs to go to the syslog server. When we used UF...
View ArticleWhy does AWS CloudWatch stop receiving events with the error "400 Bad Request...
We have configured large number of CloudWatch log groups as a separate input in our heavy forwarder. We have noticed that when pulling the logs from AWS instance, we are getting throttling exceptions...
View ArticleHow to view individual hops of data before it reaches indexer?
We have got "heavy forwarders" and our client has got a Splunk Heavy forwarders at their side before they send to us. So the path of flow is Individual host (A) with UF => Heavy Forwarders (B) =>...
View ArticleWhy am I only able to view 3 items in the list for Forwarded Inputs, Event...
It appears that the list is limited to showing 3 items, even though there are more in my list... This is in the heavy forwarder web GUI, has always been like this (from what I can remember): I usually...
View ArticleHow to route and filter data on the Heavy Forwarder to separate indexer groups?
We need to route and filter data on the heavy forwarder. We are having trouble configuring the routing of security logs to a Splunk instance specifically for security logs and the main Enterprise...
View ArticleCan I update max_fd parameter in limits.conf on a list of heavy forwarders...
Hi All, 1) Can I update max_fd parameter in limits.conf on a list of heavy forwarders via any deployment app? [inputproc] max_fd = 1024 and will it override the default value...
View ArticleHow to integrate Mcafee ePO in a distributed environment with Splunk DB...
Hi, I'm planning to install McAfee + Splunk DB Connect on several heavy forwarders (4) using the Deployment Server. The fact is, I don't know what will happen if all the TAs start collecting at the...
View ArticleWhat do Splunk Ninjas think are the top three daily Splunk tasks in a large...
Hello all, I am trying to build a workflow for our new Splunk product and want to know what top three regular daily tasks you may do in Splunk Enterprise. This includes anything in regards to ES...
View ArticleHow should I implement a Splunk architecture on a 2 virtual machine,...
Hi, we have to implement a Splunk architecture (for a development/test environment). We have 2 virtual devices, and we should replicate this set: 1 Deployment server, 1 Heavy Forwarder, a cluster of 3...
View ArticleHow to undo a command that changed the name of my sourcetype?
Hello, For some reason, when setting-up some heavy forwarders to accept syslog data on UDP 514, a colleague of mine ran the following command: Splunk add UDP 514 -sourcetype udp:514. This added the...
View ArticleWhats the best way to blacklist a Windows event code?
I have over 300 Universal forwarders and I'm getting several eventcode=5156 events errors. Is there a way to blacklist this event on a heavy forwarder? If not, what would be the best approach for...
View ArticleHow to resolve when a log file falling behind?
Hi, We recently enabled syslog for dns devices, including query events. I checked this morning, and the events are about 4 hours behind. Looking for advice on how to fine tune this... This particular...
View ArticleHow much more power would masking sensitive data take, especially with SED...
Hi All, I am currently working with a large client who would like to use Splunk to mask sensitive data but are worried about the computational and time overheads. Is there any data on how much more...
View ArticleSplunk Stream: Why is there inconsistent data produced between the deployment...
I am getting inconsistent issues when running the streamfwd on CentOS 7.x On the Deployment server some data is captured, i.e. Stream Estimate shows statistics The heavy forwarders, which are generally...
View Article
