How do I configure my heavy forwarder to filter and route data as expected?
I'm having some issues with a heavy forwarder that I can't explain, and I was hoping someone could help me. First question: I have 1 heavy forwarder and 3 separate indexers. How can I define on the...
View ArticleHow to send different inputs to different indexers?
We are doing some integration with a outside service provider that already has a Splunk Universal Forwarder deployed on a server that they have dedicated to us. It is collecting some information, and...
View ArticleHeavy Forwarder tier queues are full. How to determine which configuration...
All, I am looking at the queues on my heavy forwarder tier which I use to proxy all our Universal Forwarders. The queues are looking full lately, it seemed to creep up on us. Any recommendation on...
View ArticleIs there a way to create an alert to notify us if the license is going to...
Hi Is there a way an alert can be created to notify us about the license expiration of a heavy forwarder? For example, we want to get notified when the license for heavy forwarder is about to expire in...
View ArticleHow is the Splunk Heavy Forwarder used to buffer/cache until indexers come...
All, I have a Splunk heavy forwarder collecting data from various endpoints, which then passes up to the Indexers. We recently had a config error that disconnected the HF from the IDX for a few hours....
View ArticleWhy is Splunk not receiving on splunktcp 9997?
I have a Heavy Forwarder set to forward load balanced data to two Splunk indexers on 9997. When I enable receiving on the indexers (via Settings -> Forwarding and Receiving -> Configure...
View ArticleHow do I configure my heavy forwarders to parse the timestamp for a...
Hello I'm having an issue with timestamping for my WinRegistry data. I don't know whether by design, or for some other reason, the timestamp in the logs are as such: 11/02/11154 14:24:53.046 which of...
View ArticleHow to define specific characters within angle brackets in my syslog data as...
I have syslog information being sent to my heavy forwarder and I'd like to define a specific translation for one piece of information. The number in the `<>` brackets translates to Error,...
View ArticleQualys Technology Add-on (TA) for Splunk: How to debug error "Unable to...
We have a set of new build servers (Windows) with Splunk v 6.4.1. All data input goes via a separate heavy forwarder to the indexers. When I install the latest TA-QualysCloudPlatform (on the HF) and...
View ArticleField extraction and conditional splitting into different indexes on a heavy...
Hello, In my environment I have a setup of two heavy forwarders forwarding to a set of clustered indexers. I want those forwarders to receive syslog, and depending on the facility/severity the incoming...
View ArticlePowershell script in Heavy Forwarder consuming a lots of memory in Active...
Hi, everyone I have a simple PowerShell script that runs every 5 minutes grabbing data from a database. I have noticed the memory climbs quite high (almost 4GB). I have an "output" is the Heavy...
View ArticleHow to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?
Hello community, I just take over a cluster (which is not in full productive mode yet) and i want to update all settings / apps before go live. The Palo Alto App for example is on 4.x, available...
View ArticleIs it possible to install Splunk forwarders on multiple Linux machines at one...
Hello I have 10 Linux machines on which I need to install a universal forwarder or heavy forwarder. My question is, do I need to log in to every machine and install Splunk, or can I do it all at one...
View ArticleHow to troubleshoot why we are unable to get data into our heavy forwarder...
Currently we have an issue in getting the data into the heavy forwarder. We could see that below stanza is configured in the heavy forwarders, When checked under the path as mentioned in the stanza, we...
View ArticleDo heavy forwarders listen to data from devices or collect data by contacting...
Example: are snmp devices sending data to heavy forwarder, or is the HF connecting to devices to get syslog data? Thanks.
View ArticleShould a UDP feed appear in "splunk list monitor"?
Hi, I'm troubleshooting a syslog feed on a non-standard port. I ran a tcpdump, and the data is coming into the server, but it's not appearing in Splunk. The app is on the heavy forwarder, and here's my...
View ArticleWhy is the Splunk Add-on for Citrix NetScaler not parsing syslog data...
Hi, I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I...
View ArticleTimezone conversion issue on HF
We have a HF in UTC timezone that is received log events from an Universal Forwarder running on EDT timezone. The log events are in UTC timezone. The HF is configured in non-indexer mode...
View ArticleHeavy forwarder crashes on a syslog event.
We have a heavy forwarder running 6.4.1 that has been crashing on some random event being sent via syslog. Well, I should say, the syslog listener just stops processing the inputs. Other events on...
View ArticleSSL encryption and authentication between Heavy Forwarder and Indexer
Hello, I have a doubt with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it...
View Article