What is an example of what the outputs.conf file would look like on a...
Can someone please provide an example of what the outputs.conf file would look like on a universal forwarder in an index clustered environment? For example: 1 sh, 2 indexers, 1 clustering Master, 4...
View ArticleForwarding to Splunk cloud from AWS and on prem
Hi, Our setup is as follows: - Managed Splunk Cloud instance - Heavy Forwader (on-prem) - Syslog server (on-prem) Our on prem servers have universal forwarders on them and forwarder to the HF which...
View ArticleEnsure regex filter in transforms.conf and stanza in props.conf only apply to...
Hello, so I understand that my props.conf and transforms.conf (below) in theory allow me to filter out the events that match the regex specified. props.conf [filter_out_auth_logs] TRANSFORMS-tonull =...
View ArticleCan default certificate be used for communication between universal forwarder...
I am pretty new to splunk. We are implementing heavy forwarder on EC2 instance which receives the data from UF and forwards to splunk cloud. I am trying to test the data forwarding by configuring...
View ArticleHow to ensure regex filters in transforms.conf and a stanza in props.conf...
Hello, so I understand that my props.conf and transforms.conf (below) in theory allow me to filter out the events that match the regex specified. props.conf [filter_out_auth_logs] TRANSFORMS-tonull =...
View ArticleHurricane Labs Add-On for Unified2 compatibility?
Is this app compatible with the latest version of Splunk and Splunk UF? Is this intended to replace the need for barnyard2?
View ArticleFailed to set up Universal forwarder with docker compose
I want to setup a universal forwarder that receive logs from a syslog server (share a volume) and send logs to a receiver. For some reason I get the error below on my forwarder container:...
View Articleproblems running file_meta_data app in aix 7.x
Hi, I am trying to run file_meta_Data app in aix, and keep getting an exit code of 1 from introspection It runs successfully for me in Linux, so I believe I have the basic config setup working...
View ArticleUniversal Forwarder
I installed UF on Win 10 based on steps shown in Splunk web site. But after finishing, I can not find this program while it is in list my installed program in control panel. i tried this many times and...
View Articleinputs.conf monitor stanza for Windows Universal Forwarder with wildcards not...
I'm facing a problem with writing a stanza that would collect log files from a directory tree. The tree is (example): D:\Log\App\Module1\Log\%timestamp%-actual.log...
View Articlesplunk-perfmon.exe errors of Counter is not found
I have noticed that after updating the Universal Forwarder to 7.3.1 (not sure if it is that update or a Windows update) running on Windows 10 Pro (64bit) Version 1809. I get about 2735 of the same type...
View ArticleSquid proxy & universal forwarder
Hello, I'm trying to send data from a directory on a server to Splunk Cloud using the universal forwarder. This traffic goes through a squid proxy. I've tried to configure the proxy in server.conf:...
View ArticleSplunk unexpected timestamp parsing behavior
Greetings, In my environment, I have set up an Universal Forwarder that is monitoring a single server .log file, which is then forwarded to a Splunk indexer instance for parsing etc. as a specific...
View ArticleJSON fields are extracted/displayed twice
JSON fields are extracted twice. On Universal forwarder (7.0.3) the settings `props.conf` are like this [my_sourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8...
View ArticleWhy are JSON fields extracted and displayed twice?
JSON fields are extracted twice. On Universal forwarder (7.0.3) the settings `props.conf` are like this [my_sourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8...
View ArticleHow to figure out if forwarders are utilizing props or transforms?
We have Universal Forwarder on our windows servers varying in version from 6.2.3 to 7.1.3. Our Splunk Enterprise version is 7.0.1 (upgrading soon). I was always under the impression that formatting...
View ArticleHow do I forward and delete logs?
I would like to be able to forward logs and then delete them using a UF. How can I do this? For the sake of the Splunk community, it would be nice if this question had a run-anywhere solution. However,...
View ArticleSplunk Windows universal forwarder zip file
Hi Team, I am facing issues with Splunk universal forwarder installation-* in windows environment. when I went through the Splunk.docs I came to know that Splunk universal forwarder on windows...
View ArticleDetermine which Active servers with Universal Forwarder areNOT sending logs...
We have a bunch of servers with UFs installed. These servers may have different operational states. For example, "Active", "Build in Progress", "Decommissioned", and "Decom in Progress". We use...
View ArticleWhat is procedure to upgrade universal and heavy forwarders?
Hello , We have around 13 heavy forwarders.How does the upgrade thing work , should we log into each instance and do the upgrade or is there any way to upgrade through the deployment server.The same...
View Article