Several of my forwarders are having issues blacklisting the _internal index
Several of my forwarders are having issues blacklisting the _internal index. On my forwarder's **\etc\system\local** folder, I have a outputs.conf file with the following logic **[tcpout] defaultGroup...
View ArticleHelp with installing two universal forwarders on the same Windows box -...
I need to install 2 separate universal forwarders on the same Windows box. I have the install built, one via msi and the other via scripted process. On one install the service shuts down. I connected...
View ArticleFiles not indexing due to fast rotation
Hi All, Hope you are doing good. I have come across a difficult situation in indexing a file. We have few Universal Forwarders, on which files will be rotated very fast (within seconds) during mid...
View ArticleWill Splunk run a modular input using system Python on a Universal Forwarder
If I have a modular input written in Python, will Splunk attempt to execute it on a Universal Forwarder if the host has Python installed?
View ArticleHow to automate Splunk Universal Forwarder installation on Windows script?
Hi, Seeking for an assistance on how can I automate splunk forwarder installation using windows script? Can I add this command on a windows script? msiexec.exe /i...
View ArticleWhitelisting for universal forwarder not working in 6.6.3.0
I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes. [WinEventLog://Security] disabled = 0 start_from =...
View ArticleWhy isn't whitelisting for universal forwarder working in Splunk v6.6.3?
I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes. [WinEventLog://Security] disabled = 0 start_from =...
View ArticleHow can I change my alerts so they do not resend once they've already been...
Hi All, We have the below query which is getting triggered everyday based on the missing UF server from the lookup table and it creates a ticket for the same. Currently this alert creates a ticket...
View ArticleWhy are some Windows Security events not logging in Splunk?
I have a UF setup on a windows 2012 server. I am logging Win sec logs but I see some in the event viewer that are not going into splunk.. How can I get all the logs to go into Splunk from the windows...
View ArticleWhy does the universal forwarder container require docker.sock to be mounted
Can someone explain why the docker universal forwarder container requires docker.sock to be mounted? Is there a specific reason it requires this? Is there a way to get around this? From everything that...
View ArticleSplunk Universal Forwarder TCPOUT Cutting Events in Transit
I have a UF that is monitoring 5 rather large (200MB to 12GB) files and then sending via TCPOUT uncooked data to an rsyslog server. However, it appears that some of the events are getting split...
View ArticleIIS filter transform not processing when forwarded from universal forwarder,...
I've found many entries on the subject of filtering IIS logs, with people saying X has worked. However, I'm not able to get it fully working. If I copy an IIS log that should be filtered to the server...
View ArticleSearch logs show up only when I restart universal forwarder on domain controller
Hi Guys, I have installed splunk UF 6.3.3 on our Domain Controller 2k12 and following is my inputs.conf [WinEventLog://Security] disabled = 0 start_from = newest current_only = 1 evt_resolve_ad_obj = 0...
View ArticleError messages when I try to connect the universal forwarder
Hi, I'm brand new to Splunk and been given an existing Splunk environment to manage. I need to get a universal forwarder installed on a couple servers. This environment already has several universal...
View ArticleSplunk for Blue Coat ProxySG: why can't I import using a universal forwarder?
http://docs.splunk.com/Documentation/AddOns/released/BlueCoatProxySG/Releasenotes I am using Splunk Add-on for Blue Coat ProxySG. I can successfully import using GUI. However, using universal forwarder...
View ArticleTrouble setting up universal forwarder for Windows Log Collection
I am trying to setup my splunk enterprise 6.6.1 to be able to injest windows logs from remote pc's but not having much luck. I know I am missing something, or not comprehending something, but can't...
View ArticleWindows Events Not showing Up on Indexer
A UF was installed on 2 Windows domain Controllers. These are in a different windows forest than my other devices. I had to manually add these to the windows_eventlog class by IP as the DNS name can't...
View ArticleFile not being read by Splunk in a directory while others are
Hi, I have a directory which is defined in inputs.conf on a host (which has UF running), directory is: /var/middleware/inventory/var As per the logs (splunkd.log), the directory is now monitored:...
View ArticleSplunk Universal Forwarder 6.5.2 running on 100% on Solaris
Can someone help me in resolving the issue? Splunkd Universal Forwarder is taking 100% process. I am monitoring around 50 logs files and the data is not more than 30GB daily. For monitoring i am not...
View ArticleWhat is the recommended version of the universal forwarder?
Hi Folks, We have various kind of Splunk universal forwarder version(4.3.1, 5.0.1, 6.1.1 ) on our environment and we are planing to upgrade the old version to new splunk recommended version , is there...
View Article