Can you help me get the File/Directory Information Input working?
I'm trying to get the File/Directory Information Input app working but I'm struggling. The place I'm working has this installed on a couple of heavy forwarders (HF), but neither seems to be generating...
View ArticleIn the search head, why am I not able to see which heavy forwarder the logs...
I have 3 heavy forwarders and sending firewall logs to all heavy forwarders and then forwarder to indexer. But, when I am searching from the search head, I am not able to check from which heavy...
View ArticleFrom a Heavy Forwarder to an Indexer, how can I get Splunk to separate...
So my issue is that I am not sure how to get Splunk to separate data on the indexer. I am trying to listen on the forwarder port 514 (for Linux syslog) and 6161 (for windows event logs), I use...
View ArticleHow can one determine on system level if a Splunk install is a Heavy...
Hi team, I'm looking to find a way to identify if a Splunk server is a heavy forwarder or an Indexer in an automated way. Is there a way to find out, by looking at filesystems, processes or running...
View Articlehow do I line break winevent log events after a Universal Forwarder(UF) sends...
I have UFs (managed by a DS) on Windows endpoints sending winevents to a HF. The HF receives the events and then sends everything to the indexers cooked and simultaneously sends uncooked data to a 3rd...
View Articleis there any way to process data with a heavy forwarder and then send the...
I have raw data that I need to parse / break per event time stamp but I need to send it uncooked (with the event breaks) to a NiFi listener node... I don't believe this is possible.... Please confirm....
View ArticleWhat architecture will work in this Splunk Distributed Environment ?
Hi Team, I have an infrastructure located globally multiple sites around 10 to 15 Sites which can be generated approximately 1 TB of log volume a day, I would need Splunk expertise suggestions on what...
View ArticleWithout have access to the universal forwarder, can I check whether it is...
Hi All, I am relatively new to Splunk, In my environment we are using deployment server to manage the deployment apps on universal forwarders. During the installation of universal forwarders, we...
View ArticleHow to configure IP range in inputs.conf on heavy forwarder
I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6" How do I use inputs.conf to capture a range of IPs while setting the index and...
View ArticleWhy am I getting the following Http Event Collector (HEC) errors?:...
I created 100s of HEC tokens and put them in an app, which has been pushed down to several Heavy Forwarders. Most of them are working fine, but strangely, several of them are not working and give the...
View ArticleWhat are the basic troubleshooting steps in case of UF/HF is not forwarding...
Most of the time we have seen that the splunk universal forwarder or Heavy forwarder fails to forward data to the indexer. In this scenarios, what troubleshooting steps we can use to start the...
View ArticleMonitoring saturation of event-processing queues in Heavy Forwarders
I have a distributed environment with multiple indexes, search heads, and a pair of heavy forwarders. Since last days one of my HF starts to alert a issue, Monitoring Console's Health Check is warning...
View ArticleWhat is causing the following warning from the Monitoring Console's Health...
Monitoring saturation of event-processing queues in Heavy Forwarders I have a distributed environment with multiple indexes, search heads, and a pair of heavy forwarders. But over the last few days,...
View ArticleHow to index and use unstructured huge volume of data - Splunk HWF and SH...
Hi All, We are working on a clustered environment where splunk is fetching logs from various servers. In the source server we have set up splunk heavy weight forwarder which forwards the data to the...
View ArticleHeavy Forwarder stopped sending data
Hello, Let's say we have Heavy Forwarder forwarding logs to groups A (Which consists of two IDX) and group B (One HF). Group B does not make LB, group A does. My question is, what will the Heavy...
View ArticleHow to avoid data loss on HF on restart
I have service now add on, db connect in Heavy Forwarder. So i cant use multiple instances of HF to avoid data duplication and licensing. My both apps Service Now and DB connect are in real time sync,...
View ArticleImpact of installing syslog-ng in universal forwarder
Hello Splunkers, I have a requirement wherein I need to forward the data to the third-party system apart from sending logs to Splunk. What is the impact of having syslog-ng along with universal...
View ArticleIIS Heavy Forwarder Translation
We are working through a staged migration where two splunk instances will be running in parallel for a while before we switch over. Because naming conventions are fun, we are going to adopt an entirely...
View ArticleHow do I make my heavy forwarder my deployment server?
I have a Splunk Cloud instance and a heavy forwarder that sends in all my data into my cloud instance. I will now be installing a universal forwarder to get Windows Active Directory data in and will...
View ArticleHow do I make my heavy forwarder, which is already configured, into a...
I have a Splunk Cloud instance and a heavy forwarder that sends in all my data into my cloud instance. I will now be installing a universal forwarder to get Windows Active Directory data in and will...
View Article