SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed...
I have this add-on installed on a HFW, just installed the 0Gb ingestion license (to allow KVStore to run) but I am now getting SSL errors?!? I can't see any SSL configuration element in the app/docs so...
View ArticleBandwidth usage for 200 GB of data from heavy forwarder to indexers
Hello, I understand from some of the links that using UFs as intermediate forwarding layer add metadata at **stream level** while using HFs as intermediate layer add metadata at **event level**. What...
View ArticleJMS Messaging Modular Input App documentation?
Where do I install this app? On SH Cluster or Heavy Forwarder via deployment server? I don't find any splunk dcoumentation on this.. Can some one please share teh link of documentation on this?
View ArticleHeavy forwarder not sending new data
Installed a heavy forwarder on an instance to ingest exported data from our old SIEM, and needed props set on the data so I don't have to bounce my indexers. I got 2 of my 14 gb files w/out issue, and...
View ArticleIs it possible to send all data from Splunk Light to Splunk Cloud?
i want to use splunk universal forwarder to send all data to one instance of splunk ligth locally and then use another mechanism to send all data collected to splunk cloud, without the need for each...
View ArticleSplunk Add-on for Bluecoat Security Analytics
Hi Splunkers, Just like to ask if splunk has an add-on for bluecoat SA or the Bluecoat App is the only way. If app is the only way, is there any guide or documentation for proper integration of...
View ArticleBlue Coat Security Analytics App For Splunk: Is there any documentation for...
Hi Splunkers, Just like to ask if splunk has an add-on for bluecoat SA or the Bluecoat App is the only way. If app is the only way, is there any guide or documentation for proper integration of...
View ArticleUsing Splunk heavy forwarder - Filter data before TCP routing - What's wrong...
Hi, I'm using a Splunk Heavy Forwarder with props.conf, transforms.conf and outputs.conf to selectively send events to different splunk Indexers based on the sourcetype. That works well. But now I have...
View Articleindex override on HF data
Hi, There is situation where we have installed DB connect on HF and then the HF sends that data to 2 sets of different indexers and now we need to override the index name at one set of indexers . We...
View ArticleHTTP Event Collector -- How to specify folder or path name to store logs on...
Hi All, Could you please help me with the query regarding collecting data using the HTTP Event Collector? I am trying to collect logs from F5 appliances using HEC method. The basic architecture will...
View ArticleHow do avoid or minimize duplication of data during the switch of data input...
We have our Heavy forwarder server monitoring a shared directory for proxy data log file provided by our proxy team. We want to switch from monitoring a log in a shared directory on Heavy Forwarder to...
View ArticleHow to avoid or minimize duplication of data during the switch of data input...
We have our Heavy forwarder server monitoring a shared directory for proxy data log file provided by our proxy team. We want to switch from monitoring a log in a shared directory on Heavy Forwarder to...
View ArticleIs there any advantage to sending data from UFs to an intermediate HF instead...
Is there any advantage to sending data from UFs to an intermediate HF instead of directly to indexers? I recall reading that by relaying data UF > HF > indexer, there are certain advantages (e.g....
View ArticleIs there any advantage to sending data from universal forwarder to an...
Is there any advantage to sending data from UFs to an intermediate HF instead of directly to indexers? I recall reading that by relaying data UF > HF > indexer, there are certain advantages (e.g....
View ArticleWhy is Splunk still getting logs from an edited source path?
I recently edited the path of a source in inputs.conf in a heavy forwarder but I kept receiving events from both ( the new and the old source ). the old one : [monitor:///var/portal/tomcat/log/jms.log]...
View ArticleIndex override on heavy forwarder data
Hi, There is situation where we have installed DB connect on HF and then the HF sends that data to 2 sets of different indexers and now we need to override the index name at one set of indexers . We...
View ArticleHeavy Forwarder send events to remote syslog
I am being asked to forward events from a Heavy Forwarder, to a remote ArcSight server as raw events. Our HF's receive events from UF's un-indexed, and they pass-through the HF's un-indexed. Is this...
View ArticleQueue size for splunktcp - Data Loss on HF
Hi Ninjas I wonder how we lost data on the following scenario: Universal Forwarders sending their Data to a central Heavy Forwarder - this Heavy Forwarder uses Indexer ACK . However, due to a...
View ArticleHeavy forwarder not sending logs (Windows)
I've got an issue with HF not sending the logs to indexer. Does anyone have experience with something like this? HF was sending the log to indexer as it should until yesterday. at one moment, indexer...
View ArticleHow to configure heavy forwarder to send data to specific Qradar server
Hi Team, I have a heavy forwarder which is sending data to 5 indexers. Also, I have multiple Qradar servers but I want the heavy forwarder to send the same data to only one Qradar server. Currently the...
View Article