Can you index a certain sourcetype and forward the remaining?
Hi I am new to Splunk and am trying to forward a specific sourcetype of data out. That part is successful but now I am having trouble with the next part; indexing the remaining sourcetypes. I am using...
View ArticleUniversal Forwarder Credentials
What is the correct way to upgrade the credentials on a universal forwarder. Ours will expire soon, When I run splunk install app -update, getting the following error: Cannot perform action "POST"...
View Articlereplaced with new index with old one in inputs.conf
I have changed the index name for a log ingestion to a new one but the logs are still ingesting to the old index. I cannot understand why the logs are not ingesting to new index. Please let me know if...
View ArticleDNS Server NOT Forwarding Windows Security Events
One of our DNS servers running a universal forwarder, suddenly stopped sending Windows Event logs to our indexers. DNS events are still being forwarded.
View ArticleUniversal Forwarder DNS resolution
Good day to all, Since I didn't find an search results on this topic, does UF do any DNS resolution for the events (windows or whatsoever) that reads ? I believe that doesn't do but I would like some...
View ArticlePreferred distro for UF & Syslog-NG instance
We have a requirement to run a Universal Forwarder that will act as an Intermediate Forwarder for our domain controllers & will also run syslog-NG to receive logs from our firewalls before sending...
View ArticleSet up log-to-metrics from Universal Forwarder to Splunk Enterprise
I've followed the docs for setting up log-to-metrics but I haven't been able to get it to work as intended. I have a CSV file being monitored by a universal forwarder that then gets sent to Splunk...
View ArticleHow to fetch Windows Services details using Splunk App For Infrastructure?
Dear Splunkers, I have Splunk App for Infrastructure installed on Splunk Cloud and have already onboarded windows details using easy install script but no where I can see Services data to perform real...
View ArticleHow to configure Splunk to read a csv file from a universal forwarder?
Hi, I have one csv file at location /apps/data_splunk/.csv And this CSV file has data like below JAN-18 | 31-JAN-2018 | -1 | 1 | 31-JAN-18 | 01-FEB-18 | 727 JAN-18 | 01-FEB-2018 | 1 | 1 | 01-FEB-18 |...
View ArticleFormatMessage was unable to decode error (193), (0xc1)
10-07-2019 13:33:23.696 -0700 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\test\bin\abc.ps1"": FormatMessage was unable to decode error (193), (0xc1)
View ArticleIntermediate Forwarder Not Sending Data
I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk. Intermediate UF IP 10.0.1.18 Splunk IP...
View ArticleIntermediate forwarder not sending data
I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk. Intermediate UF IP 10.0.1.18 Splunk IP...
View ArticleDoes Splunk ingest files that existed before the remote folder monitor was...
I have a client server with a universal forwarder configured to forward data to an index server. On the client server, I have a folder "X" full of CSV files. If I create a remote folder monitor for the...
View ArticleReceiving error after restarting docker-splunk, proceeds to add forward-server
Hi, I am setting up a Splunk universal forwarder by pulling the universalforwarder docker image from docker-hub and as part of docker run command I also add forward-server like below: docker run -e...
View ArticleForwarder Resend Data After Connect To Indexer
Hi, Splunkers: I have a forwarder that is target to a incorrect indexer and it was paused to send data for 3700s. Now I have configured to a correct indexer URI and how can I make the forwarder...
View ArticleRecommended way to ingest files from remote server into clustered indexers?
We have a clustered search head and indexer environment with 16 indexers and a Deployment server On a remote Windows server we have a PS script that runs a Microsoft API call every hour to pull alerts...
View ArticleSAML cert db registration with KVStore failed
After upgrade from 7.1.2 to 7.3.2. I am seeing below error. INFO loader - SAML cert db registration with KVStore failed
View ArticleAfter upgrade Splunk Universal Forwarder is not sending logs to Indexer tier
After upgrading universal fowarder from 7.1.2 to 7.3.1, the universal forwardre stop sending logs to splunk.
View ArticleHow to configure outputs.conf to forward data in a fail-over method
We have HF 1 and HF2 that are located in DC1 and DC2 respectively. How can we configure outputs.conf in below method. - All servers in DC 1 should forward data to HF 1 primarily and only send data to...
View ArticleUniversal Forwarder inputs.conf perfmon stanza : Why counters with "-" in...
## Initial case (working) : In an UF add to an inputs.conf (depending of if your using an app, creating local conf or default one, etc.) [perfmon://< any performance monitoring input>] counters =...
View Article