Filter out "everything but..." from certain source with heavy forwarder?
I want to filter out everything in my massive firewall logs except those events with event codes for a few important event types. Here's what I have right now: inputs.conf...
View ArticleIs it best practice to collect data from network drives using a heavy...
Hello and good morning, I have a heavy forwarder that takes inputs from several network drives and it's working fine so far. The question I can't find an answer to in the Splunk docs is, is getting...
View ArticleCan a Splunk 6.3 heavy forwarder send data to a 6.1 indexer, and can I use...
Hi, I have a multi-part question. First, can a 6.3 Heavy Forwarder sent to a 6.1 indexer? And second, can I use the index parallelization functionality on the 6.3 HFW to send this data? (Might be...
View ArticleWARN TcpOutputFd - Connect to host:port failed. Connection refused
I am forwarding data from heavy-forwarder (HF-1) to heavy-forwarder(HF-2) which are in different network IP range. Eg: 10.172.0.1 to 10.234.0.1 I have enabled the forwarding from HF-1 to HF-2 via...
View ArticleIs multitiered load balancing supported in Splunk 6.3.1? (Universal...
Hi, After going through the 6.3.1 documentation, it is still not clear to me whether multitiered load balancing is fully supported in Splunk. I don't see why not, but I just want to double check with...
View ArticleDoes the Tripwire Enterprise App for Splunk Enterprise require the use of the...
Does this app require the use of the heavy forwarder or will the universal forwarder work?
View ArticleHow to set Splunk Heavy Forwarder hostname as the splunk_server metadata when...
We have an environment where we have Universal Forwarder ---> Heavy Forwarder ---> Indexer and would like to have the splunk_server metadata be the HF so that the information is easily separated...
View ArticleHow to forward logs from universal forwarders to heavy forwarders for...
Hi Guies, We have multiple universal forwarders and 3 heavy weight forwarders. Currently all UFs are forwarding logs directly to indexers. What I want is to configure universal forwarder to send...
View ArticleWhy does our heavy forwarder host_regex configuration work for Linux, but not...
We are having issues getting Splunk to process log files in windows, The identical configuration works in linux. Appreciate any help in identifying what the problem could be **This does not work**...
View ArticleHow do I edit my single-machine deployments outputs.conf to send out data for...
Hi everyone, I'm trying to use splunk as heavy forwarder to send out only 1 index, but it doesn't work. Could someone please help me? I think there is something wrong in the outputs.conf. [tcpout]...
View ArticleWhy am I getting "HTTP Request error: 400 Client Error: Bad Request" trying...
So, I go into the Box App for Splunk on my Heavy Forwarder to do initial configuration. I successfully configure the app and validate the oauth information with my Box admin account. However, I notice...
View ArticleHow to filter events on a heavy forwarder sent from universal forwarders?
Hi Team, We want to drop events which contain the keyword "error" Below is our setup: universal forwarder ------>Heavy weight forwarder -------->indexer/cloud We have multiple universal...
View ArticleWhy are my props and transforms.conf not filtering data on the heavy forwarder?
I have a Heavy Forwarder installed which sends the logs to Splunk Cloud. Here's the workflow, please shed some light on this.... UFs-----> HWF ----->Splunk clould indexers -data is flowing into...
View ArticleWe have "indexAndForward = false" configured, but why are heavy forwarders...
Working on better alerting on indexing volume/license usage and the like and I've stumbled across something in-explicable. We have 4 Heavy Forwarders that all have default/outputs.conf with `[tcpout]...
View Articledbconnect 2 + heavy forwarder + filtering and routing
Hi, We use a splunk architecture where all events go through a heavy forwarder before getting to an indexer. The HF does extensive filting, transforms (trimming), and anonymisiation and is basically...
View ArticleHow to choose which indexers Splunk DB Connect 2 database sources are routed...
Hi, We use a Splunk architecture where all events go through a heavy forwarder before getting to an indexer. The HF does extensive filtering, transforms (trimming), and anonymization, and is basically...
View ArticleIs my current architectural design a legitimate deployment for a small Splunk...
Hi, My company is deciding to use Splunk in a Small Enterprise Deployment. I already read a bit about scaling, the infrastructure design, and the amount of components. I'm assigned the task to think...
View Article'Invalid Key in Stanza' errors being generated at startup for inputs.conf...
Per these docs [http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/MonitorWindowsdata][1] I have changed from the old way of using transforms to filter out unwanted Windows Events from logs I am...
View ArticleShould I build out a cluster master with the same hardware spec requirements...
Should I build out a cluster master with the same hardware requirements as my heavy forwarder?
View ArticleHow to disable KVStore on a heavy forwarder?
I have KVStore taking up drive space on a HF. Documentation warns about this and says KVStore can be disabled in the server.conf. But there are no instructions on how to do this. please advise.
View Article