How do I configure an on-prem intermediate heavy forwarder to connect to an...
I want to build an indexer, search head, and deployment server on our own (not Splunk's ) AWS VPC. The overall question is, how do I configure an On-Prem Intermediate Forwarder (HWF) to connect to the...
View ArticleHow to troubleshoot why an indexer is only receiving data from 50% of...
I spent hours trying to figure this out Friday, and it's been bugging me all weekend. So, I'm hoping the community can help me figure this out! The info below is all from memory, hopefully I don't miss...
View ArticleKafka Messaging Modular Input: How to set up multiple heavy forwarder agents...
I tried to set up multiple heavy forwarder agents on the same server pulling from a Kafka topic, but it appeared as if only one agent would take any load (I was monitoring agent via top cmd, java cpu...
View ArticleWhy is my Splunk 6.2.5 Heavy Forwarder not filtering out events as expected?
My Heavy Forwarder forwards data to the indexer fine, however, I wanted to filter out some events before being forwarded using props.conf and transforms.conf, but the indexer still receives everything....
View ArticleAfter configuring Heavy Forwarders and now setting up the receiver, would my...
Be warned. New to Splunk Cloud. Have worked primarily with on-prem instances of Splunk Enterprise. I have configured my two heavy forwarders (My VM's). I have ran the following command to set up the HF...
View ArticleIs Heavy Forwarder to Heavy Forwarder possible?
We have a relatively closed network in which we plan to collect logs from. This network resides on a larger "open" network that we don't want to have directly communicating to our internal network. Is...
View ArticleHow can I debug a TCP feed on a heavy forwarder?
Hi, I need to debug a tcp feed from a load-balancer, on a server where I don't have root or sudo. Is there a props config that I can make to put it into debug and see exactly what it's processing? I'm...
View ArticleIndexer and Heavy Forwarder in once?
Hello community, we would like to forward a subset of syslog data to a 3rd party syslog host. So, no problem, this is possible with a forwarder or a heavy forwarder...
View ArticleHow to deploy and configure the Splunk App for Stream in an environment with...
Hi all! I am just getting started with an environment that we've somewhat inherited from another team within our org. For a variety of reasons, we use Heavy Forwarders to aggregate and forward data out...
View ArticleWhat does sendCookedData actually do on a heavy forwarder (i.e. what does...
What transformations / processing happens when data is cooked on a heavy forwarder? Is it the same as the data being indexed just without local storage (barring also setting indexAndForward to true)?...
View ArticleHow to add an AWS account to the Splunk Add-on for Amazon Web Services via...
We use clustered search heads and clustered forwarders. All the documents on how to set up the AWS account seem to be GUI based. So, we set everything up on one search head. Then copied our...
View ArticleIs there a way to report on the devices depositing syslogs on my heavy...
I need to write a search to report on what devices are sending logs to my heavy forwarders using syslog-ng to the `/var/log/splunk/*` directory. The issue is those directories under Splunk are mostly...
View ArticleWhy is AWS Billing failing with "there's no any timestamp column in header"...
We configured AWS billing on the aws app. Things worked fine until we moved the app from the search head to the heavy forwarder. Now we are seeing a lot of failures with the following error: File...
View ArticleIs it possible to prioritize what data is forwarded from a heavy forwarder?...
Hi everybody, I'm new in Splunk, so be gentle, please. So that's the scenario: I have a Splunk Heavy forwarder, and I want to know if it is possible to prioritize the data which is forwarded to the...
View ArticleHow do I reduce the interval of data sent from DCN (heavy forwarder) to the...
I see that from DCN, data comes in with a frequency of 5 minutes. How do I reduce this interval? I use a heavy forwarder as DCN
View ArticleDo we need to install the Splunk Add-on for Box on both search heads and...
Couple questions about the Splunk Add-on for Box. We're setting up a heavy forwarder to collect the data. Do we need to also install the add-on on both the Search Heads and Indexers as well, or just...
View ArticleWill the File/Directory Information Input add-on work on a universal forwarder?
Does the File/Directory app require a heavy forwarder? It appears to require python.
View Articleheavy forwarder falling behind when consuming log files
HF version is 6.2.2 and running on RHEL 6 x86_64 - 8 cores and 16 GB of memory. It is a VM. We have a heavy forwarder that is consuming standard syslog from a file fed by rsyslog using a standard...
View ArticleDo I need to install the Cisco eStreamer for Splunk app on both my Heavy...
I plan to install the eStreamer app on my Heavy Forwarder to collect the logs from the Sourcefire management console and install it on the Search Head to use the app dashboards. Do I also need to...
View ArticleHow can I clear "1 license window warning reported by 1 indexer" on the...
It has only reported 1 warning 4 days ago. I can see and access the new Heavy Forwarder and completed more configurations in which I told the HF to reach out to my Cluster Master holding my License...
View Article