Splunk TA for Solaris 11: How to get the Solaris ldoms.sh script to send data...
I installed the Splunk TA for Solaris 11 in my UF (Universal Forwarder) and left the default collection from the inputs.conf The stanza: [script://./bin/ldoms.sh] disabled=0 index = ia interval=600...
View ArticleWhat is the intended behavior when setting the "instances" option for perfmon...
In the inputs.conf spec for collecting perfmon data (https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#Performance_Monitor ), there is an option called "instances". Reading the...
View ArticleWhy did upgrading my Universal Forwarder result in a license violation?
I am monitoring the directory where IIS logs are stored. The universal forwarder is sending the information on a dedicated index. To upgrade the universal forwarder, I saved the customization files...
View ArticleHow to blacklist indexing a security event based on the Account Name?
I'm running the Splunk Universal Forwarder and I've configured the inputs.conf for the Splunk Add-on for Microsoft Windows to monitor the Security event logs for Windows. At this time though I'm...
View ArticleHow I can monitor my Splunk universal forwarder to make sure the forwarder is...
Hello! Recently noticed some universal forwarders hang and not sending logs to indexer. So, how I can monitor my Splunk universal forwarder sending logs to make sure the forwarder is working as...
View ArticleHow to uninstall Independent Stream Forwarder?
I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the...
View ArticleHas anyone seen duplicate windows server universal forwarders after update?
I have one forwarder that is showing duplicate on my Splunk server. I updated 3 forwarders to test them. It was from v4 to v5 UF. The other two were fine, the 3rd is having an issue. Over the weekend...
View ArticleHow do I debug perfmon:memory missing on a windows 2012 R2 host?
I have a couple of hosts that have the same version of Windows (2012 R2) that one will produce perfmon:memory data, and the other will not. They have been installed with the same version of the UF...
View ArticleCan we add additional parameters (IP and hostname) to the logs which are...
I am kind of new in Splunk and I am curious about something. When I install universal forwarder to a Windows server, it sends only name or ip, and by default, it sends the name of the server (can be...
View ArticleHow to Restart universal forwarder (agent) remotely via deployment manager?
We face few issues whereby our endpoints (clients) mayhave Splunk Service Stopped. Can we force restart Universal forwarder (agent) "splunk service" or "splunk" from our deployment manager? Currently...
View ArticleWhy is the Universal Forwarder not loading Splunk Add-on for Unix and Linux?
I'm working on deploying the Splunk Add-On for Unix and Linux to the universal forwarders in my environment using a configuration management system. I packaged the add-on into an RPM for easier...
View ArticleHow to restart a universal forwarder remotely via deployment server?
We are facing a few issues whereour endpoints (clients) may have the Splunk service stopped. Can we force a restart of the Universal forwarder (agent) "splunk service" or "splunk" from our deployment...
View ArticleIs it possible to add and correct fields for past events?
Hi, we just set up our first Universal Forwarder which now works as expected. But it didn't do so initially, before we had all set up correctly. We now have the problem, that the first events we...
View ArticleHow to set up Splunk DB Connect with Splunk Cloud?
Hi, I'm just beginning the process of getting Splunk DB Connect and Splunk Cloud working together. I've read the docs, but I'm having a hard time understanding how to get this to work with Splunk...
View ArticleHow to see www* as host from secure.log and access.log ?
Hello Splunkers, I am forwarding logs from Universal Forwarder, to a Search Peer (Standalone Inderxer) and doing the search from a standalone Search Head. I have done as far from my understanding....
View ArticleHow to configure an Intermediate Forwarder and the inputs.conf and...
Hi All We currently have universal forwarder installed in our 3 application servers to forward application logs to Indexer. The inputs.conf file in each of the application server looks like this...
View ArticleHow to troubleshoot why my heavy forwarder is not receiving Windows event...
I want to send "wineventlog:security " logs to **Heavy forwarder(KIWISERVER)** and below are the configuration files that I have created on the **Universal forwarder** **inputs.conf:**...
View ArticleWhy are no events showing on any indexers after using "Add Data" on the...
Hello, I have 2 Indexers along with 1 search head. Both the indexers are added under distributed search peer. From a universal forwarder, I followed the method to add data from Files and Directories...
View ArticleWhy is SHOULD_LINEMERGE not allowing me to set to "false"?
I'm using the Universal Forwarder, and I have a requirement to log events under a specific Source Type using specified line breaks, while at the same time sending some events to the nullQueue. From...
View ArticleHow to troubleshoot the Universal Forwarder when it is not sending events to...
We have a existing infrastructure of Splunk where events are passed from multiple Linux boxes to Splunk indexers. We recently have installed Splunk **forwarder** in a **Windows** box. When we search in...
View Article