What are the basic troubleshooting steps in case of UF/HF is not forwarding...
Most of the time we have seen that the splunk universal forwarder or Heavy forwarder fails to forward data to the indexer. In this scenarios, what troubleshooting steps we can use to start the...
View ArticleHow do you detect a Universal Forwarder (UF) vs Enterprise from CLI?
On Linux, what is the "official" way of detecting whether a host has full Splunk Enterprise, versus the Universal Forwarder installed/running? For both packages, the file "etc/splunk.version" is...
View ArticleWhy is the Universal Forwarder indexing its own logs?
Guys. I have many Universal Forwarders installed in the machines that send logs to one Heavy Forwarder. This Heavy Forwarder sends log to my indexer. I do not know why each universal forwarder is...
View ArticleHow to customize official splunk universalforwarder docker image
Below docker command will be used to run the app. docker run \ -d \ -name app_x \ -v /opt/app/logs \ testapp "/opt/app/logs" will be the place where app logs will be kept and sharing the data volume so...
View ArticleWhy isn't the receiver receiving files from universal forwarder?
I have 2 Linux machines. I installed the universal forwarder on one of them and configured the inputs.conf and outputs.conf files to get the data from a file on the same machine and forward it to the...
View ArticleImpact of installing syslog-ng in universal forwarder
Hello Splunkers, I have a requirement wherein I need to forward the data to the third-party system apart from sending logs to Splunk. What is the impact of having syslog-ng along with universal...
View ArticleCould not send data to output queue(parsing queue)
Hello Splunkers, Lately, we have been facing issues in onboarding the data due to the “Could not send…..parsing queue full” issue whenever there is a data burst. We have been setting maxkbps in...
View ArticleCan you help us with our issue involving a Splunk Universal Forwarder Upgrade?
Our Splunk Enterprise Systems ( Cluster Master, Indexers, Search Head and Heavy Forwarders .Deployment Master ) are running with Splunk 7.0.7 version. So, we are planning to upgrade our Splunk...
View ArticleHow come my Splunk Universal Forwarder and props.conf are not parsing our CSV...
I currently have a universal forwarder and an indexer. The universal forwarder reads a number of CSV files. And then ships them off to the indexer. I also have a props.conf on both that reads: [csv]...
View ArticleCan you help me with my Splunk Universal Forwarder starting problem?
Hello. I am troubleshooting a universal forwarder installed on a Windows system. I noticed that the SplunkForwarder service only starts if the "Log On As" user for the service has administrator rights...
View ArticleCan you help me troubleshoot my issue involving sending data to output...
Hello Splunkers, Lately, we have been facing issues in on-boarding data due to the “Could not send…..parsing queue full” issue whenever there is a data burst. We have been setting maxkbps in...
View ArticleSplunk Universal Forwarder reported using 24GB?
recently I worked on issue where Splunk Universal Forwarder using useACK=true reported using meory over 24GB. Normal usage is around 2-3GB. In this post have decided to share teh steps taken to resolve...
View ArticleUniversal Forwarder Fishbucket growing.
Hi All, The UF (6.6.2) on our AIX server has an issue where the fishbuckets are growing in size 3gb + even after setting the file_tracking_db_threshold_mb = 500. Is there a way to invoke a retirement...
View ArticleSending data from one UF to other UF
Can we send cooked data from one universal forwarder to other Universal Forwarder by enable [splunktcp] on receiving UF to read cooked data from first UF. Does splunktcp can be enabled on UF by making...
View ArticleTomcat 7.0 Logs on Windows Server 2012 R2
Hi, I'm pretty new to using the universal forwarder on Windows Servers. Our indexer Server is running on 7.2.0 and the used Forwarders version is 7.2.1. I've added a straight forward monitor (pls see...
View ArticleUnivarsalForwarderとソースタイプについて,Universal Forwarderとソースタイプ
UnivarsalForwarderを使って、ログファイルをSplunk Enterpriseに送っているのですが、 この際、ソースタイプは指定できないのでしょうか。 ,Universal Forwarderを使って、ログファイルをsplunk Enterpriseに送っているのですが、 送る際にソースタイプを指定できませんか?
View ArticleNot receiving data
Hi, I have an issue with receiving data from one of the Universal Forwarder in my environment. I have checked the internal logs of UF and found some messages stating that "Watched File - will begin...
View ArticleWhy is one of my universal forwarders not receiving certain pieces of data?
Hi, I have an issue with receiving data from one of the universal Forwarders in my environment. I have checked the internal logs of the UF and found some messages stating that "Watched File - will...
View ArticleCSV file not getting indexed in correct format through UF but parses...
Has any one installed Splunk UF on Kali linux and faced any issues?.We have Splunk UF(7.1.1) installed on Kali linux and monitoring a path as below.The csv file is not coming in right format from the...
View ArticleHow to use the universal forwarder to parse log files with a key value pair...
Hello, I'm trying to parse log entries that look like so EventTime=2018-12-07...
View Article