How to troubleshoot why data is only getting indexed in Splunk for 1 hour...
Hi, We have an issue with Splunk getting data into indexes. We are getting data only during one hour (12.00 AM to 12.59 AM) every day. We have not specified any interval though in inputs.conf. Can you...
View ArticleWhy am I not getting data from the Splunk App for Stream using a universal...
My problem like this https://answers.splunk.com/answers/209017/why-am-i-not-getting-data-from-the-splunk-app-for.html, but i can not find out solve in this post. Can anyone confirm exactly how the...
View ArticleHow do I run a universal forwarder on an indexer that's handling non-IT data?
I need to create a standalone Splunk instance to handle health data (about the health of humans. Non-IT data). So, I want to forward its `/var/log/*` data to my main indexer like any other server. Is...
View ArticleHow to troubleshoot why Splunk is reindexing log file data with some fields...
Hi, I have Splunk Universal Forwarder running on my BRO-IDS sensor machine and monitoring a log directory where Bro rotates the files every hour and the rotated files are kept elsewhere in a other dir...
View ArticleWhat happens when Universal Forwarder loses its filesystem?
Has anyone seen what happens to a Universal Forwarder when the filesystem it is running from goes away? I just found out about some weekend maintenance to our network storage that will cause...
View ArticleSplunk_TA_nix multiple inputs configurations
Hi, I am looking to deploy the Splunk_TA_nix to multiple servers. I would like to have different inputs.conf depending on the server type, all deployed from the same deployment server. There are a few...
View ArticleTrying to set up forwarder for Splunk Light - Download Universal Forwarder...
I am trying to set up a universal forwarder (Windows) to send data to our new Splunk Light trial account. I am following the instructions on the following page and am stuck on the part where I am to...
View Articlewhat if indexer is unavailable when using DNS list load balancing
a universal forwarder will request to resolve XXXXXX (DNS) and it may get an IP address of the indexer that is no longer available in that case, it doesn’t have another address to try, so what will it doÂ
View ArticleTroubleshoot - Linux Universal Forwarder is not forwarding all files
We have a UF on RHEL that forwards some files fine but one that is not being forwarded. I recently added a file to forward and it is not being forwarded. We are using splunk light 6.4 and UF 6.4. I can...
View ArticleCollecting Windows eventlogs with whitelist based on word
Hi I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword I'm using following config for Splunk add-on for Windows, but this results...
View ArticleHow to disable the universal forwarder default management port 8089 with a...
I'm trying to disable the default management point on the universal forwarders (8089) with the deployment server and I'm having a hard time getting the deployment server to deploy correctly. I have...
View ArticleHow to resolve "SSL23_GET_CLIENT_HELLO:unknown protocol" error on our indexer?
I'm setting up a Splunk Indexer (Splunk Enterprise 6.4.1) on CentOS 6.8 64-bit. I do have the Splunk Add-on for Microsoft Windows installed on the indexer. My (/opt/splunk/etc/system/local/)inputs.conf...
View ArticleSplunk App for Stream: How to configure a universal forwarder to monitor DNS...
I'm having trouble getting the Splunk App for Stream working in a test environment with the following configuration: 1. Standalone Splunk Search Head and Indexer 2. Universal Forwarder (target for...
View ArticleWhy is our universal forwarder not forwarding all logs on DHCP servers?
Hi DHCP Logs from all DHCP servers are not updating in Splunk, even though the logs are in present in there. When I restart the universal forwarder, I'm seeing the logs in Splunk. Is this the issue...
View ArticleRestarting a universal forwarder on AIX, why do I get error "ulimit - Splunk...
Hi, I get the following error when I restart our universal forwarder for AIX, 05-24-2016 18:06:26.872 +0800 INFO loader - Splunkd starting (build 272667). ... 05-24-2016 18:06:31.178 +0800 WARN...
View ArticleUniversal Forwader Regex - no special field
Hey Guys, any chance to set a blacklist entry in the universal forwarders input.conf for not sending events where in any field (description, TargetUserName, TargetUserSid or any else) the name for...
View ArticleUniversal Forwarder Using High CPU?
I recently installed a Universal Forwarder on an HA Windows server the other day and the guy who owns the server was complaining the CPU has nearly maxed out and shut down the box. He then took a shot...
View ArticleTaking over an old Splunk deployment, how should I get data forwarded to our...
Hello, As I've said in a previous post, I am new to Splunk so please excuse the newb questions. I have been tasked with taking over our Splunk project which was installed about 6 years ago and mostly...
View ArticleHow often/quickly does a Splunk universal forwarder read a file?
Hi, I have some customers who are VERY concerned about the Splunk universal forwarder on their servers. We run tests, and it performed fine, but they are still concerned and would like to know exactly...
View ArticleWhy do I get this error when configuring the universal forwarder: SSL...
Hi, I am installing the universal forwarder (6.2) on redhat. I am running into several issues with the SSL setup. I am using my own selfsigned certs. This is working fine in an old 4.2 universal...
View Article