After moving Windows Event Logs to a non-default location, what edits to...
I'm using the Splunk Universal Forwarders on our Citrix XenApp servers to forward logs to Splunk Enterprise. Besides the default Application, Security, and System logs I've also added AppLocker logs....
View ArticleHow to resolve an "Invalid key in stanza [WMI:Patching]" error that occurs...
I have a WMI Input defined on a universal forwarder and I get the following error while starting Splunk, and of course nothing gets indexed from this input **Checking prerequisites... Checking mgmt...
View ArticleHow to configure an app's outputs.conf to forward data to a specific indexer?
Hi Experts, We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer. The 4th app has a different indexer IP. All 3 apps are able to send data...
View ArticleHow to configure line_merge in props.conf so that lines will not be merged...
Hello For a particular sourcetype I am trying to to configure props.conf so that the lines should not be merged. I have created /opt/splunkhome/apps/custom_addon/local/props.conf and set it to this:...
View ArticleHow to edit my WinRegMon stanzas to monitor new programs being added to...
Looking to use Splunk to monitor new programs being added to "Startup" on Desktops and Servers. Here are my stanzas: [WinRegMon://Startup1] baseline = 1 disabled = 0 hive =...
View ArticleHow to troubleshoot why our universal forwarder is not sending all events...
Good afternoon Splunk team, please could you help us with this? We have this scenario: Splunk has been logging constantly our 60 events per hour, but starting at November 5th, we are now missing...
View ArticleHow to collect server infra information when it is forwarding data over UDP?
We have few servers on which an application is installed. It is highly scalable and new servers are automatically added when application is scaled. Servers are currently sending data over UDP and when...
View ArticleHow to find lost logs from universal forwarder?
Hi, I've a universal forwarder on a Linux machine that forwards Security Onion logs to my Splunk instance. Logs are coming to network interface via port 9998 (checked tcpdump), When I try to search...
View ArticleWhy is my timestamp date format changing from dd/mm/yyyy to mm/dd/yyyy?
Hi, I'm using Splunk Enterprise 6.5.0 with Universal forwarders 6.5.0 for some years now to index log files from .Net webapp. Forwarders are looking into a directory where each days a new file is...
View ArticleWhen installing the universal forwarder, why is it unable to create...
I'm trying to install Splunk Universal Forwarder on Red Hat OS. I am getting stuck at this step. Before this command, I've already ran: chown -R splunk /opt/app/splunkforwarder chmod -R 755...
View ArticleIs there a recommended method of ingesting the entire Bit9 Carbon Black...
Currently we're using the Splunk Add-on for Bit9 Carbon Black and are forwarding and ingesting "Events" as they're generated and exported using Bit9's external analytic export method. When we attempted...
View ArticleSplunk Add-on for Microsoft Exchange: Is there a solution for missing...
Greetings, We are running on-premise Splunk v 6.5.0 with Splunk App for Microsoft Exchange v3.4.0 with Exchange 2013. Some panels in the Splunk App for Microsoft Exchange is showing no data. I narrowed...
View ArticleCan a Universal Forwarder be used to forward indexed data on a search head to...
Hello. I'm fairly new to Splunk and am working on configuring a Splunk infrastructure. If I have one search head server and one indexer server, any data that is indexed on the search head server should...
View ArticleWhy am I unable to retrieve .nix hosts data for the Splunk Add-on for Unix...
I have installed Splunk Enterprise full instance on a Linux system and universal forwarder in different Linux system. I have to read the CPU and disk usage of the forwarder system to Splunk Enterprise...
View ArticleAfter deploying universal forwarders on Citrix hosts via master image, how to...
We have a master image controlling 10 Citrix XenApp hosts, We have deployed Splunk Universal Forwarders via master image, however, all the UF's are reporting with the same master image name. From...
View ArticleSplunk on RPI
Hi there, I have been looking into using the RaspberryPI (RPI) and splunk coupled with a SPAM port to monitor network traffic. Now, I know there is only Stream and the Universal forwarder that are...
View ArticleHow do I configure syslog-ng relays to send data to Splunk?
I need to get the data from a couple dozen syslog-ng relays into my Splunk instance. Since it is a relay and the data is not stored anywhere, I am not sure how the data can be sent to the instance....
View ArticleHow do I configure the Deployment Server to have a Universal Forwarder send...
Hello everyone, I have in theory a very simple question. Hopefully this is as simple as I think it is. I have a deployment server and a Universal Forwarder (UF). I also have an indexer and search head....
View ArticleDoes the Splunk Universal Forwarder ever throttle its collection of data due...
Is there any built-in mechanism (e.g. settings in limits.conf or server.conf) that would throttle the execution of the Splunk Universal Forwarder in such a way that it stops collecting perfmon data...
View ArticleWindows installer on Splunk 6.4.x universal forwarders installed the Splunk...
The Windows installer in the 6.4 Universal Forwarder installed the Splunk Add-on for Microsoft Windows 4.8.0. Was that feature removed in the 6.5 Universal Forwarder?
View Article