Is there a way to retrieve Universal Forwarder configuration remotely for...
Hi, I am developing a plugin for my organisation's security configuration compliance auditing system, and some Windows Server-based devices have come into scope which are using the Splunk Universal...
View ArticleSplunk Universal Forwarder is not able to send monitored file's logs to...
Hi All, I have six forwarders and two indexers to which these are supposed to send data. The six forwarders have multiple instances of forwarders i.e., each having three instances. There are three...
View ArticleSplunk Universal Forwarder foot print - What is that hourly task that causes...
Hello, While terminating the new documentation of the TA-nmon, I carefully ran several steps of detailed load analysis to demonstrate and illustrate what are the costs related to the addon. This...
View ArticleHow to create an alert when a new forwarder is added to deployment server?
I'm looking for a way to report/alert anytime a new forwarder is added to my deployment server. I've tried searching on internal with the following search, but this isn't unique to when a forwarder is...
View ArticleSplunk server not recieving data from node
I have a splunk enterprise server and a node configured with Linux forwarder. These are the things configured in both the ends: server: enabled port 9997 to be reciever added the following in...
View ArticleWhat happened if universal forwarder is pointed to a new Deployment server?
Hello, Situation: - Universal forwarder pointed to a temp Deployment server - Two applications are deployed on the Universal Forwarder from the temp Deployment server What happened with the two...
View ArticleHow to rename host field value based on event data?
I have a Linux server that ingests pre-cooked log files. Each line of the log file begins with the host that the log originated from. I have a universal forwarder on a Linux server watching for log...
View ArticleIs there a way to retrieve Universal Forwarder configuration remotely for...
Hi A while ago I asked a question - https://answers.splunk.com/answers/525239/is-there-a-way-to-retrieve-universal-forwarder-con.html#answer-525378 about retrieving Splunk Universal Forwarder...
View ArticleSplunk Universal Forwarder is ignoring logs
*OS: Windows Server 2008 R2 Enterprise Splunk Universal Forwarder version: 6.2.6 (build 274160)* Hi, Good Day. Would like to seek for an assistance, resolution on my issue. Here's the case: I have 5...
View ArticleWhy is the Universal Forwarder also sending internal logs when only told to...
We have a single inputs.conf stanza that sends the data from "targetLog.log" to a different indexer, "indexerB", than everything else being sent from that forwarder. When the app is enabled, the...
View ArticleHow does a Universal Forwarder send raw and cooked data to an indexer?
So I know that during the input phase, a universal forwarder will take the raw data, add some metadata tags to it, and send it over to the indexer as "cooked" data, which is really just event data. I...
View ArticleHow to set TIME_FORMAT and TIME_PREFIX in props.conf with Docker log driver?
Currently, we are using Splunk universal forwarder where following parameters are set in props.conf: props.conf [json] TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3NZ TIME_PREFIX = \"time\"\:\"...
View ArticleWhy is the Universal Forwarder on Windows 7 communicating with deployment...
I have a stand-alone instance of Splunk running on Linux. I have a Universal Forwarder installed on Windows 7 with the intent to collect the Windows event logs. The stand-alone instance was enabled to...
View Articlewhat’s the best way to alert when a universal forwarder cant connect to the...
what’s the best way to alert when a universal forwarder cant connect to the deployment server? I am looking to build a alert when a forwarder can not get the configuration from the deployment server....
View ArticleHow to edit my props.conf to line break my events properly?
I am trying to have separate BrkrName events. I have a script `./iibqueuemonitor.sh` that outputs: EventType=Broker,BrkrName=MBIB001P01,Status=RUNNING...
View ArticleHow to remove a specific string from an events in splunk ?
Hi All, currently we are facing an issue in removing a specific values from the event list starting with the word "at" as we do not want these in the splunk events. Example : 5/16/17 8:57:04.674 AM...
View ArticleHas anyone installed the Splunk Universal Forwarder 6.6.0 on Windows 2012 R2?
Has anyone tried to do an install with Universal Forwarder version 6.6.0? I'm trying to install using Splunk Web, and on some of my servers it hangs after I've entered the data. The last line in the...
View ArticleUniversal forwarder on 2008 vs 2012
We have Splunk Forwarders installed on a lot of 2008 servers, and they all work fine. The ones installed on 2012 servers however, does not. They send the event logs, but they do not send all the data...
View ArticleWhat are the dependencies for Universal Forwarder setup on Linux?
We are trying to install Universal Forwarder package (v 6.4.1) using the yum command by making use of the Splunk rpm file. The OS version is Redhat Linux 5.11. When we execute the command, during the...
View Articlehow does time synchronization work between forwarder and indexer?
Hi we have hosts sending logs to indexer using universal forwarders. The hosts are spread across different time zones. i want to know how the indexer Synchronize different time zones into one. Can you...
View Article