Why does my Splunk 6.3.2 Distributed Management Console display incomplete...
Last week I setup a dedicated 6.3.2 DMC per the magic documentation, but it doesn't seem to be working correctly. I labeled my clusters, but after I registered them as search peers the search heads had...
View ArticleWhy am I unable to send one set of data to 1 environment and another set of...
I had this working, and have broken it apparently. Long story short, I'm migrating universal forwarders from one indexer environment to another (Seattle toAtlanta), via a heavy forwarder, and have been...
View ArticleHow to set up a heavy forwarder/deployment server on one server?
After building a deployment and a heavy forwarder on one server we seem to be having issues when we point the universal forwarders to the heavy forwarder. We are new to Splunk 6.3.1 and are not sure if...
View ArticleHow configure SED props.conf on a Heavy Forwarder to make a field CIM compliant?
All, My first time messing with data manipulation at the heavy forwarder tier. Specifically looking to CIM a field my developers can't fix at code. Essentially quick sub elapsedTime to duration....
View ArticleHow do I route events into different indexes based on event type?
I have an indexing scenario and below are the points to be considered. Imagine I have log file with DEBUG, INFO, and ERROR events . 1. Need to filter out events with INFO using nullQueue (feasible) 2....
View ArticleSplunk Add-on for Microsoft Powershell: How to troubleshoot why my Powershell...
I have a somewhat complex process I'm trying to get working. The synopsis is this: I have a report that generates a list of machines Splunk has not heard from in at least 12 hours. This report runs on...
View ArticleHow to calculate maximum *nix heavy forwarder capacity/thruput based on...
Fellow Splunkers! I've spent a lot of time on both the answers and splunkbase sites but can't seem to find a simple __formula__ for this. I am trying to determine the maximum *nix heavy forwarder...
View ArticleUsing an indexer cluster in AWS, we installed the Splunk Add-on for AWS on a...
We are using a Splunk indexer cluster in AWS. We installed the Splunk Add-On for AWS on a heavy forwarder. Is there any possibility of having high availability for this setup? It seems it is not...
View ArticleWhy am I getting handshake error between my deployment server and 5 out of 10...
Hello, I've read a few threads on this topic, but none seem to relate to Splunk 6.3 or have worked for me. I am taking over a deployment that looks like 10 servers that forward data to a Heavy...
View ArticleWhy do I get "--splunk-cooked-mode-v3--x00x00x00x..." when the logs pass...
Hey all, My goal is to send syslog events from my application to heavy forwarder(1), then to my additional heavy forwarder(2) in a different network, and from there to the Indexer. All works correctly,...
View ArticlePersistent Queue not working for Heavy Forwarder on Splunk Enterprise 6.3.2
Hi all, I am current trying to test persistent queue to see whether it works on heavy forwarder. However, it doesn't seem to be working. Here is my scenario: I have syslogs coming in from different...
View ArticleWhy am I unable to send data from a universal forwarder to a heavy forwarder...
Hello, I am working on a PoC env. I have a Universal Forwarder monitoring a directory for new data, tagging with a sourcetype and sending to a Heavy Forwarder. When I try to send data from a UF to a HF...
View ArticleHow to edit outputs.conf for the Splunk Add-on for Check Point OPSEC LEA on a...
We have a Splunk setup to get the ASA Check Point logs collected to heavy forwarder and send to an indexer server through the SplunkĀ® Add-on for Check Point OPSEC LEA. That add-on was configured and...
View ArticleWhy is the Splunk Add-on for Check Point OPSEC LEA scheduling searches?
I have the Splunk Add-on for Check Point OPSEC LEA installed on a number of instances and I'm a bit confused about what instance it is intended to be on. I want the add-on for its ability to log into...
View ArticleIs it possible to have a script run on a Heavy Forwarder to process and...
Looking to set up a Heavy Forwarder as a data processing server. We get data logs in a specific format dropped on our production machines, but it needs to be opened and converted to CSV by a special...
View ArticleHow will a heavy forwarder in an AWS deployment react if the connection to...
We are working on an AWS deployment. We are planning on setting up 4 heavy forwarders with a few hundred universal forwarders and syslog devices connected in each DC to connect to AWS. I am trying to...
View ArticleFilter out logs using props.conf and transfors.conf
I am pulling logs from the firewalls via scripts on a heavy forwarder (via scrips from the app for Checkpoint). How to create props.conf and transfoms.conf to filter some logs from being indexed by the...
View ArticleHow to configure a heavy forwarder to filter events based on the hostname...
I have not yet started ingesting IIS logs from my systems. The systems have roughly 2 years of logs stored on them, that I need to ingest for IA compliance reasons. I'm going to utilize...
View ArticleIs there a way to search which heavy forwarder sent a log to the indexer?
Is there a way to search a log and figure out which heavy forwarder sent the log to the indexer?
View ArticleHow do I configure the outputs.conf file to forward data from heavy...
I have a cluster with a search head, master node, 2 indexers, and a deployment server. I am able to get the cluster to see new clients and push down updated .conf files, but I am having trouble having...
View Article