How to filter Windows event logs on a Splunk 6.2.3 forwarder?
Hello How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder? I have Splunk 6.2.3. tnx in advance
View ArticleWhy am I unable to forward a sourcetype from a heavy forwarder to different...
I'm in the process of migrating one environment's data to its new environment. I have specific hosts forwarding data using the [<host>] stanza in props.conf, but am having problems getting a...
View ArticleHow to resolve error Forwarding to indexer group default-autolb-group blocked...
Hello! I am getting the following error: Forwarding to indexer group default-autolb-group blocked for 2400 seconds. I have configured inputs.conf to filter Windows events (System, Security etc..) I...
View Articlereceived event for unconfigured/disabled/deleted index='msad' with...
I was getting the message as follows. What should i have to do to get those logs?
View ArticleSplunk Add-on for IBM WAS: "Unable to initialize modular input "jmx" defined...
Dear splunk community, We get the following error message trying to get SPLUNK_TA_jmx 3.1.0 working on a 64Bit SLES 11 SP3 system with splunk 6.2.1.2 build 259063: Unable to initialize modular input...
View ArticleDoes data indexed and forwarded from a heavy forwarder to indexer would...
Is changing indexAndForward=true at heavy forwarder and forwarding to an indexer will charge twice?
View ArticleWhy is the FireEye App for Splunk Enterprise v3 not properly parsing data?
Good day, We have already set up the app, but the data coming from FirEye is not properly parsed or fields are missing. To have an idea on our setup, please see below. FireEye appliance configured...
View ArticleHow to find the IP address of the AWS(f5) data coming through port 9997 to a...
The port 9997 is enabled, data hitting the Heavy Forwarder. How to validate specific data and IP address?
View ArticleWhat is F5 data and how do we identify this on a heavy forwarder?
My head is going to blow up. What is f5 data, how to identify this on a Splunk heavy forwarder and make sure the heavy forwarder is configured?
View ArticleWhy are events not being split for each date for one heavy forwarder?
Events should be split for each date, which is not happening for one of the forwarders: The following is the part of a single event: [6/28/16 11:28:37:500 MST] 00000028 Resource W...
View ArticleHow do I edit my Hosts > Heavy Forwarder > Heavy Forwarder > Indexers...
I have gone through the docs: routing based on meta data (source, host, sourcetype) to send specific data to a different target group, but isn't working. I have 10 hosts that send data to an...
View ArticleWhy won't my app download on some heavy forwarders from the deployment server?
Hi, I have an updated app on my deployment server that will not download to a couple of my Heavy Forwarders. The HF checks-in, and I see handshakes, but it never downloads the app (which is updated)....
View ArticleHow should I configure a Heavy Forwarder outputs.conf to work with DMC?
Dear All, I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and I am working through the pre-requisites document. We have a distributed environment...
View ArticleHow do i heavy forward on single line
Hi, I need to change a bit of my splunk architecture and split the data output as follows: 1. Forward from Heavy Forwarder to Splunk Indexer 2. Forward from the same Heavy Forwarder to a Syslog server....
View ArticleHow should I configure a Heavy Forwarder outputs.conf to work with the...
Dear All, I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and I am working through the pre-requisites document. We have a distributed environment...
View ArticleHow do I configure a heavy forwarder to send data to an indexer, but also...
Hi, I need to change a bit of my Splunk architecture and split the data output as follows: 1. Forward from Heavy Forwarder to Splunk Indexer 2. Forward from the same Heavy Forwarder to a Syslog server....
View ArticleUnable to forward syslogs coming in from UDP:514
Here is my setup on my Heavy Forwarder **inputs.conf** [udp://:514] sourcetype = syslog connection_host = ip disabled = 0 [tcp://:514] sourcetype = syslog connection_host = ip disabled = 0...
View ArticleWhy am I getting heavy forwarder error "TcpInputConfig - SSL server...
I need to send data from a security appliance to a Splunk Heavy Forwarder on a listening port using TCP-TLS. Getting the errors below everytime in opt/splunk/var/log/splunk/splunkd.log that Splunk is...
View ArticleHow to configure JMS Modular Input on a heavy forwarder to receive messages...
I would like to use the JMS Modular Input to receive messages from a remote ActiveMQ JMS Queue. My scenario is this: I have a splunk environment with 1 search head, 2 indexers, and a Universal...
View ArticleWhy am I unable to send events to a syslog server with my current heavy...
Background I tried to configure sending events to a syslog server. Here is my configurations **outputs.conf** [syslog:my_syslog] server = 10.10.10.2:514 type = tcp disabled = false **transforms.conf**...
View Article