How can I send logs from one universal forwarder to two different indexers...
I am planning to send the logs to multiple Splunk indexers (location) based on the logs type from one universal forwarder example server-1 myapp1.log -> indexer-South myapp2.log -> indexer-south...
View ArticleAre there any known latency issues when indexing logs that are 3 GB in size?
hey guys i noticed that a select few Apache hosts are sending in events with a 30 minute latency. here are some details: - Only 3 hosts from a total of 200 are affected - the log files that are being...
View ArticleSplunk UF crashing frequently 6.3
Hi All, UF is crashing frequently . I didn't find any details in the splunkd logs VERSION=6.3.0 BUILD=aa7d4b1ccb80 PRODUCT=splunk PLATFORM=Linux-x86_64 Splunk Error Log: splunkd:...
View ArticleUniversal Fowarder does not send data to Splunk Forwarder, Indexer
Hi all, Still new to Splunk management.... For some reason a Splunk Universal Forwarder (Windows) is not forwarding logs to my Splunk Forwarder and then the Splunk Indexer. Universal forwarder (6.4.2)...
View ArticleHow to install Splunk Universal Forwarder on multiple servers?
Hi Whats the best way to install Splunk Universal Forwarder on more than 100 servers without installing on each one separately?
View ArticleIs there a script to automate installing universal forwarders on multiple...
I have a use case to install Splunk Universal Forwarders in 600+ Windows servers at a time. Is there any script to automate it?
View ArticleWhy has the Universal Forwarder stopped sending events from Windows Forwarded...
We have a couple Windows Event Collectors which have between 4,000 and 6,000 Windows systems subscribed to them sending Event IDs 4688 (heavy hitter), 4698, and 4697s. For some reason the Universal...
View ArticleAfter upgrading to 6.5.0, why is there a runaway splunkd process using up an...
After upgrading to 6.5.0 from 6.4.3 on RHEL5 x86_64-bit, we're noticing a single runway splunkd process chewing up an entire CPU. It appears to be doing "nothing", according to strace:...
View ArticleWhy is our third party logstash only receiving half of logs forwarded from...
Hi Team, We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks like third party receiving receiving only 50% of logs although we are forwarding all logs....
View ArticleAfter installing a forwarder on Windows to send data to a Splunk Cloud trial,...
I'm new to Splunk and setting up Splunk Cloud trial verison. Have installed a Splunk forwarder on Win 2008 R2 64X machine and followed all steps mentioned in-...
View ArticleWhat is the expected behavior after restarting a universal forwarder if a TCP...
We have found an "issue" where all event ingestion stops for all queues after a Splunk restart on a universal forwarder (v6.4.1) if our development indexer (the only server in the splunkdev TCP output...
View ArticleHow to disable Splunk Web on a universal forwarder?
I use Nessus to scan for SSL issues, and the Splunk Web interface is being flagged due to the self signed certs. I have managed to make my indexer / search head use internally MS CA certs and go the...
View ArticleHow can we improve universal forwarder performance?
Hi, We have a proxy server where multiple log files get uploaded. The average is about 15 million events per day. Currently the server is processing approx 3 million events per hour (server=4 cores,...
View ArticleWhy am I unable to get data in to Splunk Cloud via the Universal Forwarder?
Hi, I've set up the universal forwarder a couple of dozen times before and had it work most every time (my fat fingers was the cause for the failures). For the life of me, I cannot seem to find out why...
View ArticleGetting a Windows user prompt from Deployment Server app running on client...
I have a deployment server app that makes changes on the target client. Part of the process requires closing another application. I would like to have an option to present a Windows form box that...
View ArticleShould I configure a universal forwarder to forward data to the master node...
Setting up a Splunk indexer cluster consists of the following: idx01 : indexer mode: master idx02 : indexer mode: slave idx03 : indexer mode: slave idx04 : indexer mode: slave sh01 : search head sh02 :...
View ArticleAfter installing universal forwarder on my Windows server, why am not seeing...
On one of my Windows servers, I have installed a universal forwarder. I am receiving the internal logs but no data is coming in.
View ArticleRetirement policy of fishbucket on the universal forwarder
Hello, I want to know a retirement policy of the fishbucket on the universal forwarder for a disk sizing. 1. The data retention period for the fishbucket on the universal forwarder 2. The maximum size...
View ArticleHow can I enable both Splunk server and Splunk Universal Forwarder at boot time?
Hi, I'm setting up a server with both splunk-server and splunk-universal-forwarder. When I try to enable the splunk-server service at boot time with this command: sudo /opt/splunk/bin/splunk enable...
View ArticleHow can I further edit inputs.conf in order to blacklist an event on Windows...
Hi, I am tired of making this filter work but unfortunately nothing worked. I have Windows Security events where there are two places where "Account Name" field appears . For ex (one under "Subject"...
View Article