Is anyone using Fluentd as an abstraction layer between host and Spunk indexes?
Is anyone using Fluentd as an abstraction layer between hosts and Splunk? If so, what are the trials and tribulations you were faced with? Is it safe to say that metadata is going to be an issue? I am...
View ArticleSplunk Add-on for Microsoft Exchange: In the configuration stanza, what is...
Hi there, I've been playing with the Splunk Add-on for Microsoft Exchange which has stanzas with the following in them: time_before_close = 0 The Universal Forwarders don't like this value, however,...
View ArticleHow to resolve "err=not_connected" error in Deployment Server configurations?
Hi In the Deployment Server (DS): - I copied an app to the /opt/splunk/etc/deployment-apps/ In the Universal Forwarder (UF), I configured it as a Deployment Client: - splunk set deploy-poll...
View ArticleApp and Add-on for cassandra cluster monitoring: Why are cassandra logs not...
HI, I am trying to configure the App for cassandra cluster monitoring and Add-on for cassandra cluster monitoring to monitor cassandra cluster. I have universal forwarder on each node. I have installed...
View ArticleWhy does attempting to install the Universal Forwarder on Windows via CLI fail?
I'm trying to perform a simple command line install for Windows Universal Forwarder (UF) and can't seem to get the install to work. All I want is a basic quiet install that points the UF to our...
View ArticleWhy is the Splunk universal forwarder not pushing data to indexer?
I recently upgraded a workstation to Win10 Enterprise. I installed the Splunk universal forwarder, however I am not collecting any data from the workstation at the indexer. I believe it has something...
View ArticleHow to make the deployment server manage all Universal Forwarders'...
The goal is to have the deployment server manage server.conf on all Universal Forwarders, like it does with inputs/outputs.conf. Automation is preferred as there are over 300 Windows systems. E.g. When...
View ArticleHow can I create a filter to capture certain events from security logs?
Hi All, I'm a newbie to the Splunk world and trying to figure out a couple things. I currently have Splunk Light installed and used the "Remote Event Log Collection" option to collect logs from my...
View ArticleForwarder Management Host Names Fail to be FQDNs
I've noticed that among all of the universal forwarders checking in with my deployment server, there is no consistency in which hosts are fully qualified, e.g. **myserver.mydomain.com**, and which...
View ArticleHow to make sure all servers checking in with the deployment server use FQDN?
I've noticed that among all of the universal forwarders checking in with my deployment server, there is no consistency in which hosts are fully qualified domain names (FQDN), e.g....
View ArticleHow to deploy scripted inputs on different OS architectures?
I have two scripted inputs, one bash script for Linux and one batch script for Windows. Both scripts are written to read a static configuration file and output the data for Splunk to ingest. Both...
View ArticleCan we write UDP or TCP streams directly to indexer ports rather than using a...
Can we write UDP or TCP streams directly to indexer ports rather than using a Universal Forwarder in between?
View ArticleWhy am I receiving "SOFTWARE PROGRAM ERROR" in Splunk universal forwarder...
I'm running error script on a bunch of AIX servers but have encountered the "SOFTWARE PROGRAM ERROR" on few of the servers. After getting the internal logs of the servers I have found that whenever...
View ArticleHow to properly configure Universal Forwarder, located on the same machine as...
Hi. I am trying to install an universal forwarder on the same machine as my Splunk instance just to see how Universal Forwarder (UF) works. I understand that you can collect the logs locally but just...
View ArticleHow to convert "_internal" field "date_zone" to time zone?
I am trying to convert the field "date_zone" reported by our Universal Forwarders (UF) in "index=_internal" from +0900 to KRW. Everything I have tried returns my account's local time zone (TZ). The...
View ArticleHow to resolve error "SRC did not 'startsrc splunkweb' on our behalf: exit...
My Splunk Deploy Server is CentOS 6.7 The UF, Splunk Universal Forwarder 6.0.13 running on server, AIX 7.1. If you register boot-start enable after installing the agent, the service is registered in...
View ArticleIs it possible to define a custom location for universal forwarder local...
My Splunk Forwarder is installed on a share, which can be mapped to all the servers in my environment. Therefore, I am wondering if it is possible to use binaries out this common location, but have...
View ArticlePermission denied
I am running Splunk enterprise 6.3.1 and universal forwarder. We deploy the universal forwarder onto a Linux machine it runs under the account of Splunk. Splunk is started with the account Splunk and...
View ArticleUsing the forwarder and stream like a dash-cam. Can I capture a set size of...
I have an interesting scenario. Does anyone know if it is possible to process logs collected from the universal forwarder like a dashcam? For instance, in this case I want to let stream run on a box,...
View ArticleHow do I remove host from Data Summary screen but keep data?
Hello, I'm looking for advice on how to handle systems that are removed from the network. We have several hundred Windows systems with the UniversalForwarder installed, sending log data to our Splunk...
View Article