How to disable Windows universal forwarder service auto start after first...
I am using Citrix provisioning system to install Windows UFW (Universal Forwarder) 6.5.2 and got an issue: after installed the UFW to gold image, the Splunk forwarder service automatically started....
View ArticleIs there an event limit for Windows event log ingestion?
I have a Splunk Forwarder running on Windows 2012 and I'm monitoring a share with archived .evtx files from other Windows servers. I discovered that Splunk was ingesting most small event logs (less...
View ArticleWhen installing the Universal Forwarder on a Domain Controller, are we...
Hello. Please see the screenshot on this post, its from the Splunk Universal Forwarder (UF) installer steps. Are we supposed to check the box for “Add user as local administrator” when installing a UF...
View ArticleWhy are my Universal Forwarder logs not reaching my Indexer?
I'm troubleshooting why my Splunk Universal Forwarder (UF) logs in Active Directory Forest B are not reaching my Splunk indexer which is located in AD Forest A. TCP 9997 has been opened up in the...
View ArticleCan I have a universal forwarder listen on port UDP 514, if the indexer is...
Hello, I think the subject summarizes. I searched for *answers*, but could not find a clear one. I have my only indexer already configured to listen to UDP 514. Unfortunately, now I have a second class...
View ArticleUniversal Forwarder as buffer only
If the intention of using a Universal Forwarder is only for a buffer to the Indexer, is it worth having one? Theory: Should there be a need to take the Indexer down for maintenance, the UF could...
View ArticleSplunk Add-on for CyberArk: Should I use a Heavy Forwarder or a syslog server...
I'm trying to decide whether I should use a heavy forwarder or a syslog server with universal forwarder to receive data from CyberArk. Can anybody tell me which approach you're using, and how well...
View ArticleDeployment of SSL Certificates on Splunk Universal Forwarders
Hi Splunkers! I would like to secure splunkd (port 8089) on Splunk Universal Forwarders by using a throwaway self-signed certificate. I tried the following methods: **1) Using msiexec to install Splunk...
View ArticleHow to get correct host information from a Universal Forwarder to...
We have a setup where we have a syslog-ng server that forwards all events using a UF to a HF and then to the cloud. The issue we are having is that the host information is getting replaced with that of...
View ArticleDoes uninstalling an app or add-on via the deployment server not trigger the...
I started using this flag within the serverclass.conf of our deployment server as document [here][1] restartIfNeeded = true | false * This is only valid on forwarders that are newer than 6.4. * If true...
View ArticleUniversal Forwarder - AuditTrailManager - Private key error - No such file or...
Hi guys, I got these error on pretty much all of my splunk universal forwarder. > 03-06-2017 12:25:27.743 +1300 ERROR AuditTrailManager - Private key error Error opening...
View ArticleWhat happens when Indexer is down and UF is forwarding data without using...
I have a multi-site indexer clustering. All my UF(s) are configured for Site0 (auto-balanced across all indexers available in both sites) and Indexer Acknowledgement is DISABLED. When UF tries to...
View ArticleIs there a way to trigger a universal forwarder restart when an app is removed?
I have an app that gets deployed immediately to newly installed forwarders that only contains 2 scripts (one for *Nix and one for Windows) and an inputs.conf. The scripts are called to to remove...
View ArticleI have configured my universal forwarder port through the TCP port. Will data...
I am getting data to Splunk Universal Forwarder port through the TCP port. Then the data is forwarded to indexers. What if the server is rebooted, will there be the data loss? If not, how much time can...
View ArticleAre my sequence of Splunk upgrade steps from 6.4.3 to 6.4.4 accurate?
**Our Environment:** Multi-site Search Head Cluster (X nodes on each site) Standalone Search Head with ES Indexer Cluster (X nodes on each site) Deployment Server Node (2 node, NY is active and ASH is...
View ArticleWhy are my inputs for Windows Network Performance Monitoring counters not...
Hi all, We're trying to get data from Windows network perfmon counters using the Splunk Universal Forwarder + Data Input without success. For all other collectors (CPU, Memory, Disk, etc.) this...
View ArticleMy forwarder's outgoing data rate is lagging. How to resolve this in order...
![alt text][1] [1]: /storage/temp/188289-forwarder-outgoing-data-rate.png Forwarder is not sending the data at real-time, it is having some lag as mentioned in the screenshot. Can anyone help me in...
View ArticleMultiline Events sent from Universal Forwarder not breaking correctly
Customer is ingesting a custom log file. with multi-line events using a Splunk Universal Forwarder which sends data to a Splunk Heavy Forwarder. The events should contain 20 lines, starting with an...
View ArticlePerfmon - how to specify an index at installation time or with CLI ?
Hello Is it possible to specify an index when you install an universal forwarder for perfmon's metrics or after with the CLI ? I don't want to modify directly the .conf file. By default the data are...
View ArticleHow to filter XmlWinEventLog in Heavy Forwarder with regex?
Hi, I have XML rendered log from sysmon and i need to extract from this log only interesting fields, for example:...
View Article