Heavy forwarder isn't forwarding data from UDP port to indexer
Hello team, I have a HF in place and it is supposed to listen to a UDP port and forward the data to the indexer. Its confirm the netstat shows UDP port open and also network Team confirms for the port...
View ArticleHow to send syslog data to the indexer and another TCP listener? (Part 2)
my scenario: I have an APP that can only send syslog data to one destination. I have an HF configured to receive syslog data UDP. I want to send the APP syslog data to a HF. I need the HF to send the...
View ArticleError while trying to configure heavy forwarder as slave: "Uri should be in...
While trying to make heavy forwarder as slave we're receiving the below error: Bad Request — editTracker failed, reason='Could not extract scheme/hostnsme/port from uri. Uri should be in the form:...
View ArticleSplunk Add-on for Tenable: Using add-on without a heavy forwarder
So I've been going through the documentation for the Nessus Add-on. It states that you will need to install the add-on on a Heavy Forwarder, however, our environment does not contain one. Our Nessus...
View ArticleHow can I generate all_account_ids.csv with the Splunk Add-on for Amazon Web...
We have the Splunk Add-on for Amazon Web Services running on a cluster of heavy forwarders pulling most data in from S3 inputs. The only exception is the description/metadata input which is configured...
View ArticleWhy are we getting an error routing data from heavy forwarders to indexers...
Hey Happy New Year Splunkers' We want to forward data from Universal Forwarder --> Heavy Forwarder --> Indexers --> Search Head using SSL b\w HF and Indexers. We have enabled SSL and we have...
View Articleunable to search index="_internal" for heavy forwarder instance from search...
Hi All, Suddenly I am unable to search the index="_internal" for all heavy forwarder instance from search head console. When checked in the splunk HF instances, could see...
View ArticleSplunk Add-on for Kafka: "CredException: Get session key failed" setting up a...
Hello, I'm setting up a Heavy Forwarder to forward data from a Kafka topic to Splunk Cloud using Splunk add-on for Kafka. However, I'm currently encountering credential issue: ERROR pid=23104...
View ArticlePopulate event with extra fields as global default on forwarders.
Hi, I would like to populate all forwarded events (from various stanzas) with a centralised list of field:value pairs. Can this be achieved in a centralised location, avoiding the need to write...
View ArticleManipulating data before indexing
I have multiple forwarders (heavy and universal) and I want to manipulate the data they send to my indexers. For each event I want to add a field, which the value is based on the event content and...
View ArticleWhy is my props.conf for a specific sourcetype not working as expected?
When placing my props and transforms on my production system, I am not getting expected results. It should be taking sourcetype webseal:syslog, which is ingested from /var/log/messages, and setting a...
View ArticleHow to calculate my total indexer storage capacity?
Hello community. Thank you for looking at my question, I am a Splunk newbie and probably have the dumbest question ever asked. I have indexers, Heavy Forwarders and Search Heads, My manager asked me to...
View ArticleWhy is the sourcetype not reporting in Onelogin Application issue?
We have one login app installed on our heavy forwarder and our indexers and search head is in Spunk Managed cloud. We are pulling events for one login using API . Recently we saw events count drop and...
View ArticleHow do I route pre-processed data to a specified index, based on field value?
I have app data routing from one set of Relay Forwarders (DEV) into another set of Relay Forwarders (sandbox) and then on to a set of indexers. I need to route the data to a specific index if the field...
View ArticleCan a Heavy Forwarder both be a receiver and a forwarder?
We currently use nxlog on our Windows domain controllers to forward logs one destination. With nxlog I can forward the logs to another destination and I'd like to forward the Windows event logs to our...
View ArticleSplunk Add-on for Microsoft Cloud Services: Why...
Running Splunk Add-on for Microsoft Cloud Services v 2.0.1.1 The directories underneath, var/lib/splunk/modinputs/ that are being written to by this Technology Add-on are not cleaning themselves up....
View ArticleDoes the index and sourcetype gets changed when the logs, sent by ryslog...
Hello, we have a splunk instance that is being fed by a splunk heavy forwarder. We have a rsyslog linux server forwarding logs from our network and linux servers to the heavy forwarder, which is...
View ArticleCan we increase parallelIngestionPipelines in a heavy Forwarder?
folks, Have anyone tried configuring `parallelIngestionPipelines` on **Heavy Forwarder**? We have plenty of room for cpu/memory on heavy forwarder. Hence wanted to check if `parallelIngestionPipelines`...
View ArticleLoad Balancing at UF to HF
We have the current infrastructure : UF -> HF -> Indexers Can i set up Load Balancing at the outputs.conf so that data is forwarded equally to the HF ? I would like to know the pros and cons for...
View ArticleWhy am I getting an error when sending logs from universal forwarder to heavy...
Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder: WARN IndexerService -...
View Article
