App Issues on Splunk Heavy Forwarder
I'm trying to get my app input coming in via a heavy forwarder. I've deployed the app to the heavy forwarder and configured the necessary but, I'm seeing these logs in my splunkd.log file in the heavy...
View ArticleHow to forward data from an indexer to a 3rd party server
Hi, I have the following setup: 3rd Party Server <---- Splunk Enterprise (Indexer):9997 <---- [Splunk Enterprise (Heavy Forwarder)] OR [Universal Forwarder] If the forwarder is monitoring a file,...
View ArticleWhy is data reaching heavy forwarders but is not getting indexed?
Host are sending data to Heavy forwarders and the data is indexing for some time and stops indexing data till end of the day. Next day again its starts indexing new data and suddenly stops indexing...
View Articlesingle SSL Certificate can be used for different Heavy forwarders?
Can I use single SSL Certificate for different Heavy Forwarders, or I need to assign multiple SSL Certificate to every Heavy Forwarder?
View Articlehow to check traffic volume per heavy forawrder
I plan to calculate the traffic volume in GB across all our HFs. Need this to ensure check which HF is getting max traffic as this is affecting. I was able to get memory, cpu and bandwidth utilization...
View ArticleRecommended ports & best practices for intermediate forwarding?
We have requirement to add a Heavy Forwarder tier between Universal Forwarder and Indexers. Is there a recommended port for communication between **UF** -> **HF**? I know that port 9997 can be used...
View ArticleConfiguring Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)
Hello, I'm in the process of configuring the Splunk App for Windows Infrastructure on our Splunk Cloud. One component I'm having issues with is SA-LDAPSearch. I don't provide external LDAP access, so I...
View ArticleWhy are my logs sent to the default index?
Greetings all, I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details: * 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux). * 1...
View ArticleIs there a way to send a single sourcetype to a heavy forwarder?
Hi there, Is there a way to send specific sourcetype to a heavy forwarder? For example, I would like to send the "database_access" sourcetype to the heavy forwarder for regex parsing and then send the...
View ArticleSearch to show license usage at heavy forwarder level
Hello, I have a search similar with below which provide a total of 2868 GB usage for last 24 hrs. index=_internal source=*license_usage.log type=Usage splunk_server=indexer_server* | stats sum(b) AS...
View ArticleHow do I install a heavy forwarder for Splunk Cloud in a Windows environment?
Hi, Want to install HF for Splunk cloud on windows. Downloaded the Splunk enterprise 6.6.2 for windows from splunk website. If i install the downloaded file, how will it become a HF? the user...
View ArticleSystem user vs domain user permission to install heavy forwarder on Windows...
Hi, I want to collect ePO logs and want to install a heavy forwarder on a Windows box for Splunk Cloud. This heavy forwarder will only be used to collect ePO and McAfee web gateway logs. Is it okay to...
View ArticleCan a Splunk forwarder send data to Apache Kafka and then to our Splunk...
Hi Due to architecture reasons I need to use Apache Kafka as a message broker between Splunk Forwarders and Splunk cluster. So, the data flow would be something like: Splunk Forwarder ----(SSL)--->...
View ArticleWhy isn't my data incrementing when I use this app?
Hi, I installed the add-on on heavy forwarder in DMZ and configured it as per the documentation. It works then stops incrementing data. Below are the errors in the internal logs. Should Azure have...
View ArticleAdd on for AWS - Where to configure accounts and inputs?
We have the TA installed on the search head as well as the heavy forwarder. The EC2 build roles on each server have the same policy attached that allows them to ingest our AWS information. When...
View ArticleSplunk App for AWS - Where to configure accounts and inputs?
We have the TA installed on the search head as well as the heavy forwarder. The EC2 build roles on each server have the same policy attached that allows them to ingest our AWS information. When...
View ArticleHow can I troubleshoot high CPU utilization on my heavy forwarder?
We have 3 heavy forwarders and universal forwarders are sending data to these 3 HF. But the CPU usage on one of the heavy forwarder is high. Can I please know how to troubleshoot the issue, why the CPU...
View ArticleIs there a way to check what sourcetypes a universal forwarder is sending to...
hi there, Is there a way to check what sourcetypes a universal forwarder is sending to heavy forwarder. Any query or CLI command ?
View ArticleDoes Heavy forwarder forwarded events will undergo parsing on indexers
my Heavy forwarder is forwarding events to Splunk indexers. Does link breaking , aggregation etc takes place on indexers again? If not is there any way to make events to undergo parsing on indexers...
View ArticleDoes anyone have personal experience-based hardware recommendations for these...
Hello, I need hardware recommendations for the following scenario: 1 Search Head Indexer Cluster (search factor 2) (2 members) 1 Master Node 1 Heavy Forwarder (or cluster if possible) 7GB of events per...
View Article