Two Indexers - Blacklist Data to Specific Indexer
Good morning all- I'm working on a design in my lab where we have two indexers. I have data for one of the indexes 'networkvideo' that I want to only go to one of the indexers, while all of the other...
View ArticleAbout version difference between UF and SH.
I saw it. https://docs.splunk.com/Documentation/Forwarder/7.2.4/Forwarder/Compatibilitybetweenforwardersandindexers I am using IDX of 6.4 and UF of 7.2. However, I can not communicate from client hello...
View ArticleHow do I get a Splunk universal forwarder to send explicit Event ID Events Only?
Hello, I'm interested in installing universal forwarders (UF) on machines to ingest local security event logs into Splunk. However, I don't want every single security event log sent from the UFs to the...
View ArticleHow come Windows Security events are taking 15-20 minutes to appear on Splunk?
We have configured a universal forwarder on 4 Domain Controllers in our environment. Now, we receive security events in real time on 3 Domain Controllers. The 4th DC has a lag of around 20 minutes to...
View ArticleWhen trying to Install a Splunk forwarder on Linux, why am I getting the...
I am trying to install the Splunk forwarder (for Splunk Cloud) on an Ubuntu 16.04 server using the instructions on the following:...
View ArticleHow to install splunk universal forwarder on multiple windows system with...
I want to install universal forwarder on multiple windows machine. I tried using this command Invoke-Command -ComputerName "Desktopname" -Scriptblock {msiexec /i path of forwarder(.msi) file} . Without...
View ArticleHow can I automate the downloading of universal forwarder?
Everything I am reading is that to download via wget, cURL, etc, that you have to specify the full path that contains the specific version number in the name/path. How can I get the latest/current...
View ArticleWhy am I getting high CPU and high memory on universal forwarder even though...
Hi, We are using a forwarder (7.1.6) and we are seeing high CPU and high memory for Splunk forwarder (One whole core of a 20 core box). ![alt text][1] However we are only getting in a trickle of data,...
View ArticleHow do you filter out an event based on an account name?
Hello, I am trying to exclude specific event logs from a Windows system being forwarded and indexed to Splunk. What I need to do is to filter out an event based on the content of the event (actually...
View ArticleScripted input is done many times regardless of interval setting.
My environment : Splunk Indexer : 7.2.3 on Linux7 Splunk Deployment Server : 7.2.3 on Linux7 Universal Forwarder : 7.2.3 on Linux7 I configured that Deployment Server deploys below inputs.conf to UF....
View Article"invalid key in stanza" error after restarting the forwarder using...
Hi All, We have installed the Splunk_TA_nix (Splunk Add-on for Unix and Linux - https://splunkbase.splunk.com/app/833/) in the Search Head (/opt/splunk/etc/deployment-apps folder), added a /local...
View ArticleIssue with syslog data getting behind when read from our syslog server with a UF
We are running Splunk 6.6.3 and have UFs on our syslog servers. We are finding some of the data gets behind for some of the hosts that the syslog server has files for. Some of the files get very large...
View ArticleIssue with syslog data getting behind when read from our syslog server with a...
We are running Splunk 6.6.3 and have universal forwarders on our syslog servers. We are finding that some of the data gets behind for some of the hosts that the syslog server has files for. Some of the...
View ArticleHello, Please could you some one help me to find out weather i am getting the...
Hello, Please could you some one help me to find out weather i am getting the data from Universal forwarder to heavy forwarder? Note : I don't have UF and Indexers, Serch head CLI access. Thanks.
View ArticleCould someone help me find out whether i am getting data from universal...
Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder? Note : I don't have UF and Indexers, Search head CLI access. Thanks.
View ArticleUnable to execute script on universal forwarder due to permission issue
I am trying to install UFs on a number of hosts using the below script got from one of the post in this forum, #!/bin/sh # This EXAMPLE script shows how to deploy the Splunk universal forwarder # to...
View ArticleCan I monitor a file with extension .splunk?
Trying to monitor a file that ends with .splunk but for some reason splunk will not index it. Only when I change the extension to .txt, it ingests. Any reasons why this is happening? Thanks
View ArticleSplunk Universal Forwarder Caching Functionality
Does anyone know the functionality for the Universal Forwarder and its caching of logs if its disconnected from the indexer. Specifically, what is the functionality of caching a file when it gets...
View ArticleWhat is Splunk Universal Forwarder caching functionality?
Does anyone know the functionality for the Universal Forwarder and its caching of logs if its disconnected from the indexer. Specifically, what is the functionality of caching a file when it gets...
View Articleuniversal forwarder経由で取り込んだログが途中で途切れている。
universal forwarder経由で取り込んだログが途中で途切れてしまいます。 一行約4050文字でログの取り込みをやめてしまうようです。 そのログは一行一行がとても長いです。 splunkに行の最後まで読み込ませたいのです。 何か方法はありますか。
View Article