Parsing Queue blocked on Heavy Forwarder
Hey guys, I got some question regarding parsing queue issues I have been observing on our Heavy Forwarders. I am currently seeing between 500 and 1000 blocked events on each heavy forwarder daily when...
View ArticleHow to send a specific index from one indexer to another without a heavy...
So we have a client system that has their own Splunk indexer. For certain reasons they do not want their splunk universal forwarders sending logs to two separate indexers, but want to continue to have...
View ArticleUniversal Forwarder vs Heavy FOrwarder
Hi All, Is there any recent test,conf discussion or doc around mentioned below splunk blog 2016: https://www.splunk.com/en_us/blog/tips-and-tricks/universal-or-heavy-that-is-the-question.html Is it...
View Articlerunning log on splunk heavy forwarder
I have a heavy forwarder onprem installed on a windows OS. I am troubleshooting why logs are not coming into the splunk cloud indexer from a cloud service over API. The api is between my onprem splunk...
View ArticleSyslog filter for VMware data
I am trying to make a filter that will filter out all VPXD, VPXA, and HOSTD data coming in from VM hosts. Below is excel sheet I use to define log use cases, green means I want to continue ingesting,...
View ArticleHeavy Forwarder Redundancy (with DB Connect, AWS-Addon)
Hi Experts and Splunkers, We have an existing Splunk environment which consists of: - 3 x clustered Search Heads - 3 x clustered Indexers - 1 x heavy forwarder which has several add-ons (like DB conn,...
View Articleoverwrite index on heavy forwarder based on port
Hi. We are about to ingest logs from multiple suppliers, where the individual supplier has full control over their infrastructure. My take was to to create a couple of heavy forwarders and dedicate a...
View ArticleIs it possible to use the same certificate for web UI access and data...
As in title, I was wondering if it is possible to use the same certificate on Heavy forwarders for access to the web UI and as a server cert for server forwarding. looking at here:...
View ArticleWebsite Monitor Alerts Lagging
I have a few web monitor inputs configured on a Heavy Forwarder to ping a url every minute. I then set up alerts on this to alert me if I get less than 25 pings with response_code=200 within 30...
View ArticleHeavy Forwarder Installation version compatibility
Currently we are running with Splunk Cloud 7.2.9.1 version the same applicable for indexers ,cluster master and search heads. So we have recently build a heavy forwarder server so that can i go ahead...
View ArticleTcpout Processor: The TCP output processor has paused the data flow....
I have a new Splunk deployment with a multi-site index cluster. I currently have setup heavy forwarders using indexer discovery and assigning them to the primary site. In my DMC all health checks and...
View ArticleWhy did Splunk restart heavy forwarder?
Got an alert for a HF restarting and trying to find the root cause of unexpected restart. I'm using the search below and the results shown are at the start of the event which led to the "Starting...
View ArticleSplunk Enterprise & UF on the same machine
I have inherited a Splunk installation from the previous administrator where there is a heavy forwarder **and** a UF installed on the same machine. Since this is a bad practice in terms of performance,...
View ArticleMicrosoft Azure Add-on - No data received and getting error when looking into...
Hi All, I'm trying to use the Microsoft Azure Add-on for Splunk and was successful in getting this add-on to ingest Azure AD User data via the supplied input. When trying to use the Azure AD Sign-in...
View ArticleUniversal Forwarder hardware specs
We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud. The 3 UFs will be receiving data from 3 Heavy forwarders which will load-balance...
View ArticleSplunk Arcitechture with HA for all components in a large deployment
Hello, dear Splunkers, We want to deploy Splunk in our company and one of our important concerns is High Availability. Would you please suggest me an architecture that covers HA for all Splunk...
View ArticleHow to configure time format in props.conf to parse the original time in the...
I've got logs that have time being sent to a syslog - the syslog is also putting a time on it to track when the logs hit the syslog. I want Splunk to parse the original time in the log, and I've tried...
View ArticlePerfmon:CPU timestamp
Hello! I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp. The Perfmon:CPU _raw is: 05/07/2020...
View ArticleGetting error with Microsoft Azure Add on for Splunk: Unable to initialize...
Just installed both versions of Microsoft Azure Add on for Splunk on Heavy forwarder. When I open the inputs area nothing happens, just spins. Eventually, the following error shows up in messages:...
View ArticleCan I use the same Splunk Cloud heavy forwarder to send data to on-premises...
I have a heavy forwarder currently sending data to Splunk Cloud. Can I use the same heavy forwarder to stop data sending to Splunk Cloud and start sending data to on-premises Splunk? If yes, then how?
View Article