Can I generate the HTTP Event Collector token on the Heavy Forwarder or...
Where to set Splunk HTTP Event collector on which instance of Splunk? Can I generate this HTTP Event Collector token on the Heavy Forwarder or Search Head? When the application writes the data to...
View ArticleIs it appropriate to take VM snapshots prior to upgrading Splunk Deployment...
Hello all. Apologies in advance if the answer to these questions are documented elsewhere, but I've not been able to find any direct answers so far. I am about to upgrade our Deployment Server and...
View ArticleSplunk Add-on for Kafka: Does managing inputs manually from each Heavy...
I have two Heavy Forwarders configured with the Splunk Add-on for Kafka. Now if I manually create input topic messages from each forwarder, won't that become a duplicate? I wanna maintain a balanced...
View ArticleHow to troubleshoot why my heavy forwarder is not receiving Windows event...
I want to send "wineventlog:security " logs to **Heavy forwarder(KIWISERVER)** and below are the configuration files that I have created on the **Universal forwarder** **inputs.conf:**...
View ArticleHow to use a heavy forwarder to collect asset and identity information for...
HI! I'm following the following directions to try and set up assets and identities for Splunk Enterprise Security on Splunk Cloud through a heavy forwarder....
View ArticleTA-connectivity: Why is this add-on not working after installing on Heavy...
I just installed TA-connectivity on a Heavy Forwarder. When trying the test commands, I only get the following as output. Is there any fix? [ apps]$ /opt/splunk/bin/splunk cmd splunkd...
View ArticleFireEye App for Splunk Enterprise v3: How to send FireEye alerts on the heavy...
Using TCP CEF Syslog to send FireEye alerts to our heavy forwarder, how do we get the events to forward to a custom index on the indexer? There is no inputs.conf within the app itself. All alerts are...
View ArticleHow to configure a Heavy Forwarder to forward a subset of Cisco ASA events to...
Running 6.5.0. Attempting to use a Heavy Forwarder to forward a subset of cisco:ASA events to Splunk indexers, while sending ALL events to external syslog Servers. The filter to the indexers works, but...
View ArticleWhat is the regular expression for these Event ID codes?
Client needs to push these event codes through **Heavy Forwarder** to Splunk Cloud. So please help in creating REGEX for filtering the below Event ID's in **transforms.conf** and **props.conf**...
View ArticleIn an indexer cluster, how to configure an Intermediate Forwarder to filter...
The development environment was easy. My indexer cluster production environment (Splunk 6.4.1) is making this difficult. Question is—what am I missing? I believe I have tried everything except the...
View ArticleHow does licensing work for a Splunk Heavy Forwarder and Indexer?
Hi, Need a little insight on how licensing for a Heavy forwarder works: We are planning a solution for Client where we might have one instance of Heavy forwarders and two instances of indexers per...
View ArticleKeeping Host data when using Heavy Forwarder
We have recently moved from having an internal hosted Splunk setup to Splunk Cloud. Before the move to the Cloud all of our logs sent to syslog-ng kept the correct host information. Now though we have...
View ArticleSplunk DB Connect: How to resolve when RPC Service is down when initially...
Hi, I'm attempting (badly) to get the Splunk DB Connect add-on working. Here is what I've done so far: Installed the heavy forwarder on the same host as the Oracle DB Configured it to talk to the...
View ArticleHow to redirect some SNMP data to a new index?
We have SNMP data being sent from a heavy forwarder to our indexers into an index that we'll call cacti. We want SOME of the data (specifically traffic data) to go to another index. My inputs.conf on...
View ArticleAnyone know how to set up a deployment server to update heavy forwarders?
I'd like to configure a deployment server to manage the configuration files on my heavy forwarders (inputs.conf, props.conf, transforms.conf, etc.) In production, I have 10 heavy forwarders. Two are...
View ArticleSplunk App for Jenkins: Why do I have to log into the indexers in order to...
I have the Splunk App for Jenkins installed on my search heads, indexers, and heavy forwarders. It appears that the only place that anything is getting data back in the dashboards is when i log into...
View ArticleWhy is line breaking not occurring as specified in props.conf?
Hi Guys I have an issue with line breaking. I used data preview in Splunk Web and it breaks line as what I wanted. But it doesn't do the trick when it deploys to props.conf in heavy forwarder. The...
View ArticleCisco eStreamer for Splunk: How to resolve error "Problems starting the...
Hi everyone! I attempted to follow the other "Problems starting the eStreamer client" post but was unable to get it running. Unfortunately, it isn't giving me any specific reason why it's failing. I am...
View ArticleHow to resolve "TcpOutputProc - Queue for group ICSRouting-checkpoint has...
Hello, We use a Heavy Forwarder (HF) to forward CheckPoint logs to an external third-party SIEM using the TCP protocol. I have noticed from time to time this kind of errors: 01-25-2017 15:47:44.071...
View Articlesplunk heavy forwarder 500 internal server error when login
Hello, when I try to login to splunk heavy forwarder through UI to install splunk apps, I am getting "500 Internal Server Error" when I do "http://myserver:8000" the UI is coming up but once I am try...
View Article