Seeing all the forwarded data on indexer but universal forwarder is saying...
Hi splunkers , I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is...
View ArticleWhy am I having sourcetype override problems when trying to monitor a log...
I have the universal forwarder installed on a Windows 2012 server. I am trying to monitor a log directory for a custom application. The application creates a new log file for each month, so I have many...
View ArticleHow do you configure remote KV store on Universal Forwarder?
I have an application which uses the KV store to store the application's state. When installing it on a universal forwarder, I get errors saying "HTTP 503 Service Unavailable -- KV Store status is...
View ArticleDo I have a possible KV extraction issue on the universal forwarder?
I have some json events that are fairly long (10K-20K characters). Most events come through fine, except for the fact that some events have an issue with some of the fields towards the end of the event...
View ArticleUpgrade to 7.1.2 from 6.5.1 - Universal Forwarder Upgrade
Hello Team, We are planning to upgrade Splunk Enterprise v6.5.1 to v7.1.2. I understand that we need to upgrade or make changes to SSL/TLS config as per...
View ArticleWhy can't my UF send data from /var/log/messages?
***Question: why is /var/log/messages not forwarded to index?*** My deployment: ---------- UF: version 7.1.2 RHEL 6.10 **/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf**...
View ArticleOn Forwarder: WARN AdminHandler:AuthenticationHandler - Denied session token...
I am seeing messages like this: 09-05-2018 13:23:47.416 -0400 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user 09-05-2018 13:23:47.429 -0400 WARN...
View ArticleIs there a configuration where I can set the DATETIME_FORMAT for Universal...
I am using a Universal Forwarder to send data (log files) to Splunk. My log files contains a timestamp at the beginning of the row. For example: (07/09/2018 12:55:40) ;Info;........ The date/time is to...
View ArticleWhat's the best way to securely forward data from a Universal Forwarder to a...
Hey Everyone, Hope your week is going well. I'm currently working to securely forward data from a Universal Forwarder to a Splunk Indexer. I'm aware the universal forwarder can connect via SSL, but I'm...
View Article,In Splunk Cloud with managed forwarders is it possible to set the...
Is there a way to pass the initCrcLength when creating a data input with managed forwarders? The default doesn't pull data from the log directory. I was able to fix this on a non managed forwarder by...
View ArticleHow do I find and remove strings in logs from the Forwarder?
Hello, I'm trying to send some antivirus logs from the forwarder into Splunk. The logs I'm sending have a tendency to spam, for example: 13/09/2018 16:06:53 No usable rule found Blocked...
View ArticleInstalling Universal Forwarders on Linux hosts running as Search Heads,...
Hi everyone, I had a hard time figuring out the confusing (but excellent effort though) documentation for Splunk Add on for Unix and Linux. I had went through the docs and Answers but am not 100% sure....
View Articlein a distributed environment, do I have to install a Universal Forwarder on...
Installing Universal Forwarders on Linux hosts running as Search Heads, Indexers, Deployment Server, etc Hi everyone, I had a hard time figuring out the confusing (but excellent effort though)...
View ArticleDiscrepancy in the transfer of WinEventLog://Security logs through Universal...
We have 5 indexers and a standalone search head with no cluster configuration. Recently, we have observed that the WinEventLog: Security logs are not indexing properly and there seems to be a huge...
View ArticleWill someone tell me the command Splunk is using to read Windows security...
Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems...
View ArticleCan we specify files in archive to be collected?
I couldn't find a clear guideline of doing this. Simply, can we specify monitor path deep inside archive? e.g. [monitor:///tmp/*.gz:/archive/*.xml] I want UF get the files directly instead of passing...
View Article"Splunk could not get the description..." after Windows 2016 Cumulative...
Probably an update to a core DLL and we'll have to wait for a new version of the Splunk UF. As of this moment, UF version 7.1.3 does not work. This is not a question, more of a warning.
View ArticleWhy is my universal forwarder not forwarding?
Hello all! I have banged my head for about 2 hours trying to figure out why my universal forwarder won't transfer data to my Heavy Forwarder. Steps I have done: - Opened receiving **port 80** on Heavy...
View ArticleWhy is our Splunk Universal Forwarder not able to read the modification on a...
My Splunk Universal Forwarder is not able to read the modification on a file under the path "C:\Program Files (x86)" My inputs.conf is: [monitor://C:\Program Files...
View ArticleUsing registry monitoring (WinRegMon) with a universal forwarder for Windows...
Hi, I am trying to monitor Windows servers BIOS versions using Registry monitoring with UF. For testing, I installed a full Splunk Ent. and used a web GUI to add some Registry input with the baseline....
View Article