Why are universal forwarder internal logs not getting rotated due to...
We have deployed universal forwarders on Windows and are running as "local system" (admin). This is installed in `C:\Program Files\SplunkUniversalForwarder`. When we checked into the splunkd.log...
View ArticleWhy are we missing cisco:ios sourcetype data between 12am-4am nightly?
We are collecting syslog with a syslog collector, and dumping it to text files. Splunk ingests those txt files from the drive using the Splunk Universal Forwarder and everything works perfectly for all...
View ArticleConnection between Universial Forwarder and Deployment Server
Hi, we are using self-signed certificates in our Splunk environment. In general everything works fine, but at a closer look we found that the Universial Forwarders aren't using our self-signed...
View ArticleHow do I handle checksum errors on a file being written to by multiple...
I've got a Universal Forwarder running on a RedHat Linux VM that is monitoring a particular type of error log file. In some cases, there are multiple processes that can write to the same error log file...
View ArticleWhere on a Windows machine should I store logs generated from custom scripts...
Running a log-generating script locally on a Windows machine with a Splunk UF, I am looking for best practices for where to store the script log files. I imagine that there may be permissions issues...
View ArticleSplunk upgrade deployment server
During Splunk upgrade (5.0.5 to 6.2.5) of our indexers, search head, deployment server we have noticed that all the deployment apps get refreshed in all the deployment clients and a lot of the...
View ArticleSplunk Indexer and Universal Forwarder version compatibility
I noticed that Splunk official suggested us to keep the Indexer and UF using the same version (I am using 6.2.3). However, due to some issue, I need to upgrade the UF to 6.2.6 or 6.3. So doing, any...
View ArticleDoes useACK=true in inputs.conf [batch://] stanza ensure that the file will...
I have an application which writes .json files into a directory. I would like to be able to monitor the directory and forward all files to the indexers. The files are written once, and never updated,...
View ArticleSplunk SSL Question
So I have a Splunk environment signed by a 3rd party CA. However, the forwarders are using self-signed certificates because it's in a testing environment. WHen I try to send data from forwarder to...
View ArticleAdd index to default searched index in splunk light.
I'm forwarding traffic from a window file server to a splunk light instance. The index where the data is received is wineventlog. That index isn't searchable. How do I add that index to the default...
View ArticleHow to duplicate/clone a deployment app (Splunk Add-on for Microsoft Windows)...
We are using the Splunk Add-on for Microsoft Windows to get Windows Event sourcetypes that we're forwarding from Universal Forwarders. We're managing our UF's with a deployment server. I would like to...
View ArticleAfter installing a universal forwarder on Ubuntu 14.04 LTS, why am I getting...
I have installed the forwarder in `/opt/splunkforwarder` and run the `splunk start` command. I get the license to read/accept, but when I accept the license I get the following message: **This appears...
View ArticleWhy am I getting "Error initializing SSL context - invalid sslCertPath for...
Hi Guys, I have configured SSL certificates and added it to my forwarder and indexer according to their recent documentation. My communication between the forwarder and indexer works well, until I...
View ArticleWhy do our hp-ux-ia64 universal forwarders stop phoning home after pushing...
Hi, I have many forwarders, and there are problems with phone home on one architecture: hp-ux-ia64. These forwarders sometimes stop phoning home after pushing changes in config (I use deployment...
View ArticleHow to search how long it takes for data to go from a universal forwarder to...
Anyone have a quick search on how to measure how long it's taking for data to go from Universal forwarder to be searchable?
View ArticleSplunk Universal Forwarder and TCP Data: What exactly is Splunk looking for...
According to the doc here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Setuploadbalancingd> Important: Universal forwarders are not able to switch indexers when monitoring TCP...
View ArticleWhy are events that are sent to splunktcp://9816 from one Universal Forwarder...
Events sent from one Universal Forwarder to another UF are going directly into the main index, even after I have specified index and sourcetype in the inputs.conf file on the receiving forwarder. How...
View ArticleGetting a "TcpOutputProc - LightWeightForwarder/UniversalForwarder not...
Here is my outputs.conf : [tcpout] server=myserver.com:9997 Not sure, why we are receiving this error when we have our outputs.conf file setup in etc/system/local. TcpOutputProc -...
View ArticleIs it possible to configure inputs.conf to forward events based on "Custom...
Hi Splunk Community, Can one configure inputs.conf to forward events based on a "Custom Views" in Event Viewer? Specifically, we are looking to forward the events Certification Authority events. ![alt...
View ArticleHow to upgrade 15 Solaris hosts from Splunk 4.1.3 to 6.4.0 universal forwarders?
As unix support staff drafted to be an inexperienced Splunk support staffer, I hope I can appeal to someone who knows what they are doing. I've been tasked with updating about 15 Solaris hosts to the...
View Article