Is it possible for the Universal Forwarder to open the TGZ file and index...
Hi, I have a TGZ file that needs to be indexed into Splunk. Configuring inputs.conf is easy enough. The part I'm having trouble with is this TGZ file contains several files but I'm only interested in...
View ArticleWill Splunk update the host field in indexed events if a universal...
So after months of battling an issue with our indexers dropping connections, we determined that there was a problem with the indexers performing reverse DNS lookups for the connecting servers. To...
View Articledmc_forwarder_asset not displaying Universal Forwarders
Is there a reason why "dmc_forwarder_assets" is not displaying the universal forwarders in DMC ? It was displaying it before but now it is not. - Thanks
View ArticleWhy is Splunk universal forwarder not indexing data from all log files?
Hello I am running Splunk as not root user. my Splunk universal forwarder is not indexing data from all files. when i run Splunk list monitor, it is listing all my files that i have mentioned in input...
View ArticleHow can I split custom Windows Event Logs from the same source into multiple...
I have a custom Windows Event Log source that I want to monitor via an universal forwarder. I'd like to split the events into 2 buckets resulting in 2 different source types in Splunk: -first bucket is...
View ArticleWhy is a particular index-volume (per day) increasing?
Recently, I have added a file share system for indexing via "Universal Forwarder" at Windows server to the receiver/deployment server (Linux). Yesterday, the total volume of raw data for the file share...
View ArticleAD Universal Forwarder stops forwarding
Hi Splunkers, we ran in some problem with our Universal Forwarder (version 6.5.0.) which collects event logs from our root DC in the testing environment. So, we had several issues, but limited those to...
View ArticleError installing Universal Forwarder docker image
I'm trying to setup the forwarder on docker (beginner to docker). I got the sample yml file from: https://hub.docker.com/r/splunk/universalforwarder/ When I try to run docker-compose up, I receive the...
View ArticleIs it safe to use a 6.5.2 universal forwarder with a 6.5.1 indexer?
I would like to deploy the latest 64-bit Windows forwarder (6.5.2) but we are still at 6.5.1 for our indexers.
View ArticleHow to forward _internal to defaultGroup
Hello, I have the following outputs defined on all my universal forwarders: [tcpout] defaultGroup = prod-group, valid-group [tcpout:prod-group] server = server1:9997 [tcpout:valid-group] server =...
View ArticleUniversal Forwarder Crash _initCrcLen' failed.
I have a universal forwarder running that picks up bluecoat logs from a directory. Everything works as expected, however every couple of hours the forwarder randomly crashes with the following error...
View ArticleAre there limitations for a Splunk Indexer on Linux indexing imported Windows...
I referenced a prior question on this regarding Linux Splunk server and Windows Event Logs: https://answers.splunk.com/answers/60343/linux-splunk-server-and-windows-event-logs.html But this is more...
View ArticleWhy am I unable to monitor $SPLUNK_HOME/var/log/splunk/audit.log on my Linux...
I created an app named a_uf_inputs_conf. The app simply contains inputs.conf that has the monitor stanza's below. This app was deployed to both Windows and Linux servers. It is working on the Windows...
View ArticleHow to add custom tags to event data via universal forwarder?
I am using universal forwarder. I wish to tag my logs with the application and some custom information like groupA or groupB etc. So, I wish to have multiple tags to my events namely applog1, groupA. I...
View ArticleIs it recommended to install Universal Forwarder on all Workstations?
Hi Is it the best way to install Universal Forwarders on all Workstations and enable windows security events , Right Now I have UF's on all DC's?
View ArticleWhere do I find the logs of a universal forwarder that are installed in a...
Where do I find the logs of a universal forwarder that are installed in a domain controller? We have universal forwarder installed in domain controller bu the logs for password change attempts are seen...
View ArticleWhich properties are available for a Universal Forwarder in Props/Transforms ?
Hi, I can't find any reference in the docs (i.e. : http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf) of Props or Transforms about which attributes are available/working on an Universal...
View ArticleHow to configure inputs.conf to parse key value pairs in IIS 8.5 logs?
I'm trying to parse IIS logs in Windows 2012 R2 based on the blog article: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/ From what I understand, as long as I set the sourcetype to "iis",...
View ArticleCannot download universal forwarder credentials
- I installed Splunk Light via the AMI on AWS. - I am trying to setup the universal forwarder by following the help doc here:...
View ArticleCan data being sent from a Universal Forwarder be filtered at the indexer...
We have a Universal Forwarder that is sending a huge amount of data. We need to only index events that contain any of these words-- "EnvisionResponse" or "EnvisionRequest" or "TransactionStatusDetail"....
View Article