Why is my Linux host not appearing when I try to add data?
Hi I already configured the universal forwarder in a Linux instance. I am using Splunk Cloud but the moment I try to configure "Add Data", the Linux host doesn't appear. I also configured a Windows...
View ArticleIs there a way to forward data collected using scripted inputs to multiple...
Is there a way to forward data collected using [script] to multiple indexers using Splunk's load balancing feature? This is a TCP stream and am trying to implement this by using universal forwarder,...
View ArticleHow to edit my universal forwarder monitor stanza to index Active Directory...
I am trying to monitor the Active Directory Server for logs. I have a universal forwarder installed on a Windows AD Server, and there are logs at the following path: %SystemRoot%\System32\Winevt\Logs\...
View ArticleHow to troubleshoot why I am unable to forward Windows logs from a universal...
Hi Team, I have installed a universal forwarder with the credentials in my local system to forward logs to Splunk Cloud, and chose the Files & directories to monitor on the universal forwarder. I...
View ArticleWhat is the user-seed.conf file?
I'm a bit confused about the user-seed.conf. Based on the documentation provided by Splunk, it seems this is to set up the initial password. Does this apply to Splunk universal forwarders? I am using...
View ArticleAn index was not prepared to ingest data, so I cannot see events from...
Hello, I forgot to have an index ready when I started to ingest data (log file with data from last week to present) from a Universal Forwarder to my indexer. I saw the message warning me of this, so I...
View ArticleIs the Splunk Trial license limited in collecting remote data?
Hello, i have installed the trial Splunk Enterprise in Linux. I have installed also the Universal Forwarder in Windows 8.1 VM. I am trying to collect the logs but i cant. with netstat i see that he...
View ArticleWindows Server 2008R2 Splunk server not receiving Windows Event Logs from a...
I initially tested the Splunk Server on a Windows 7 machine and installed the Universal Forwarder on another WIndows 7 machine. This worked with no issues other than having to run sfc /scannow to get...
View ArticleHow to only index events that contain specific fields?
Hello, all. I know that my question's not a unique, but I want to ask it :) I have a netflow text log on a server with a universal forwarder installed. I don't want to index this entire log. I only...
View ArticleWhats the best way to blacklist a Windows event code?
I have over 300 Universal forwarders and I'm getting several eventcode=5156 events errors. Is there a way to blacklist this event on a heavy forwarder? If not, what would be the best approach for...
View ArticleIf the Universal Forwarder doesn't do parsing, why do I see an abundance of...
I'm currently troubleshooting some data inputs from a Universal Forwarder that I have forwarding to an intermediate Heavy Forwarder tier which forwards to my Indexer tier. I was under the understanding...
View ArticleAfter upgrading universal forwarders to 6.5.0, why are new events no longer...
Hi, I encountered a problem today with several universal forwarders, and it never happened before we updated to the version 6.5.0. Also, we didn't change our logrotate configuration. My problem: After...
View ArticleAfter configuring new servers on the universal forwarder, why are sourcetypes...
Hello All. I am having existing setup for Splunk for the Aix servers and we just added some new servers to upgrade our application. On our existing AIX Servers, the Splunk universal forwarder are...
View ArticleField extraction using Splunk dashboard - appending constant text to an...
I am wanting to extract a new field from the original **source** field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this...
View ArticleUsing indexer discovery, how to check if a forwarder has forwarded a file to...
**Issue**: - After uploading file to forwarder monitoring directory, we cannot search it on search head. **Environment**: - 1 search head --> 1 indexer cluster {1 master + 3 indexers} <-- 1...
View ArticleHow to set the exec queue size in server.conf to increase perfmon inputs?
We are trying to increase the size of exec queue since we check that for Perfmon and Wineventlog, it stores the queue there. We don't want to increase the parsingQueue since there are other data that...
View ArticleHow to resolve "ssl23_get_client_hello unknown protocol" error on indexer and...
Hello guys, I'm using this on deployment-apps (universal forwarder deployment) : [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = indexer:9997...
View ArticleAfter installing universal forwarder, why I am getting error in Splunk?
Hi all; I'm installing universal forwarder on my Linux and Windows machines. After that I'm starting to get the data with `splunk add monitor /path/to/logfile.log` and I see all of my data under search...
View ArticleAfter installing universal forwarders, why am I getting error "you currently...
Hi all; I'm installing a universal forwarder on my Linux and Windows machines. After that, I'm starting to get the data with `splunk add monitor /path/to/logfile.log` and I see all of my data under the...
View ArticleHow to install the latest Splunk Universal Forwarder for Windows XP?
Hi, I have been trying to install a Splunk Universal Forwarder using "splunkforwarder-6.1.11-277527-x86-release.msi" on Windows XP. Install fails at the end of Install process and rolls back...
View Article