Why is Splunk Light Cloud indexing 58 duplicates of 1 raw entry?
Have been experimenting with Splunk Light for about a week so. I have 8 different devices running a java application that I need to monitor logs (log4j) from. The devices have Universal Forwarder...
View ArticleSplunk Add-on for Unix and Linux: Is there a way to auto deploy this add-on...
On the Splunk Light server (indexer + UI , configured to be Distributer) i did the following: I installed the Splunk Add-on for Unix and Linux (Splunk_TA_nix) according to instructions. I set up the...
View ArticleHow to prevent a PID file from causing one of our universal forwarders to...
Hi, I got an issue with one of the Universal Forwarder. It is automatically shutting down and when I restart, it is again shutting down immediately. According to what I see when I check status, I...
View ArticleHow do I monitor Desired State Config event logs?
I'm trying to monitor the Desired State Configuration event logs on some Windows servers. I cannot seem to get the monitor stanza to work. Here's the current stanza:...
View ArticleHow to search the number of times a universal forwarder went down in a day?
Hi , We are facing an issue with our universal forwarder where the Splunk agent on universal forwarder is going down regularly. We need to identify how many times the forwarder went down on a host. Can...
View ArticleUpgraded universal forwarder from 5.2 to 6.5.0. Is it typical to receive a...
I upgraded my Windows universal forwarder from 5.2 to 6.5.0. All I did was grab the installer from download and install on top of the older config. I am getting a fatal error on the...
View ArticleWhy am I unable to download the Universal Forwarder splunkcloud.spl...
We have a Splunk Light Cloud instance. When trying to set up the Universal Forwarder, I can't seem to download the splunkcloud.spl credentials file. Here's the error that I see: No static asset with...
View ArticleAfter installing the Universal Forwarder using MSI, I am not receiving any...
I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving...
View ArticleWhat does "ev" represent in a universal forwarder's _internal metrics log?...
The metrics logs for thruput contain entries like this: ... kbps=8.645610, eps=0.225803, kb=268.018555, ev=7, avg_age=11.428571, max_age=16 On the indexer, ev is a count of events. But on a Forwarder...
View ArticleWhy does the Splunk Universal Forwarder 6.3.0 on Linux x86_64 server keep...
Splunk Universal Forwarder agent keeps crashing - Agent version 6.3.0 ...Server is Linux x86_64 crashlog updated: [splunk@ftdcslsapp638 splunk]$ cat crash-2016-10-12-11:52:08.log [build aa7d4b1ccb80]...
View ArticleWhy would a universal forwarder be needed if it is unable to restrict or...
Hi Experts, Please clarify my doubts regarding the Universal Forwarder: 1) Is installing the UF on 60 machines (mix of Linux/Windows) a good option or is pulling data (like remote data) a better...
View ArticleHow will the universal forwarder behave while tailing Active-DR cluster...
Client is has a clustered Active-DR setup for their PROD application. At a given time, only one server (node) is active and mounted with common NFS share. When application switches over to the other...
View ArticleWhy is one of our universal forwarders missing from Forwarder Management on...
Hi Everyone, I installed the universal forwarders on 4 of my test/uat Domain Controllers: DC01.uat DC01.tst DC02.uat DC02.tst 3 of the 4 devices are appearing in the Forwarder Management on our...
View ArticleWhy has support been removed in 6.5.0 for universal forwarders on Windows 7,...
I'm looking to upgrade from 6.4.1 to 6.5, and I came across this:> Windows 7 x86-32 & x86_64: Free/Trial and Universal Forwarder support has been removed....
View ArticleShould I configure a universal forwarder to forward data to the master node...
Setting up a Splunk indexer cluster consists of the following: idx01 : indexer mode: master idx02 : indexer mode: slave idx03 : indexer mode: slave idx04 : indexer mode: slave sh01 : search head sh02 :...
View ArticleWhy is one of my blacklists on inputs.conf not working to filter events from...
Hi, So I am using Windows Universal forwarder (6.4.1) to forward data to indexers (6.5) I have a filter setup in inputs.conf on UFs: [WinEventLog://Security] disabled = 0 index = test sourcetype =...
View ArticleWhat is the best way to check for hostname consistency in Linux and Windows...
I am looking for ideas on how to verify hostnames are correct when writing to the indexes and when phoning home as I have encountered a fair number of UF's that were renamed and this is causing some...
View ArticleWhy am I receiving "UniversalForwarder Setup Wizard ended prematurely because...
Hi, There are a few servers throwing the error while installing Agent: "UniversalForwarder Setup Wizard ended prematurely because of an error." Can you please help? Cannot install Splunk (tried all the...
View ArticleHow to forward data to both third party and indexer servers without...
I am fairly new to Splunk. The company I work for already has Splunk universal forwarders installed on servers to pull log content out to Splunk servers to index. Now we would like to forward the same...
View ArticleCan we collect Windows event logs with the Splunk Add-on for Microsoft...
Hi everybody, Is it possible to use the Splunk Add-On for Microsoft Windows when the indexers and search heads are all running on Linux? We have a group of people who want to collect Windows logs and...
View Article