How do I configure custom sourcetypes on Universal Forwarders and Indexers?
I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates dummy data (on the forwarder) that needs a custom sourcetype set up in order to parse...
View ArticleSplunk App for Windows Infrastructure: How to troubleshoot why 4 out of 11...
Hi guys, Currently in the project I am working on, the client has 11 Domain Controllers with 1 of them as the Master node. From what I was told, the Splunk App for Windows Infrastructure will have a...
View ArticleHow to deploy a Splunk Universal Forwarder through GPO?
Does anyone have any script to share? Splunk Enterprise 6.3.2
View ArticleIs it possible to reconfigure an existing universal forwarder to...
Is it possible reconfigure an existing universal forwarder to low privileged mode? We installed our UFs as local system and are being asked to change them to a user in low-privilege mode.
View ArticleTA-nmon. Error ArchiveContext in splunkd.log on AIX UVF. Which 0652-141 There...
New setup of Universal forward on AIX, with nmon TA-nmon app installed. All seems to be working but getting an increasing error count on the NMON home screen/dashboard and splunkd.log is showing the...
View ArticleHow to troubleshoot why security events from one domain controller are...
Good day, We have one domain controller that is always about 5 hours behind in having the logs available in Splunk. This is our busiest domain controller and the security event log file is set to 1GB...
View ArticleSplunk App for Windows Infrastructure: Why do events appear to be broken sent...
Hello; I am running several Microsoft Windows Event Collectors, and data contained within the App for Windows Infrastructure; mostly events, appear to be broken. If I search my data for "ComputerName"...
View ArticleWhy is my universal forwarder reporting "INFO WatchedFile - Resetting fd to...
One of my servers running a universal forwarder is spitting out this message quite frequently: 02-04-2016 16:48:49.607 -0500 INFO WatchedFile - Resetting fd to re-extract header. What is this telling...
View ArticleHow to configure inputs.conf on a universal forwarder to ignore monitoring...
Hi I am monitoring a folder which has high level of nesting and daily, 1000's of folders gets created. The name of the folder is unique based on some id. I am seeing a delay of 10-12 hours in getting...
View ArticleDownload link for 6.3.3 Mac universal forwarder is broken, kaput, non functional
Has anyone had any success downloading the 6.3.3 universal forwarder for Mac?
View ArticleWhy am I getting handshake error between my deployment server and 5 out of 10...
Hello, I've read a few threads on this topic, but none seem to relate to Splunk 6.3 or have worked for me. I am taking over a deployment that looks like 10 servers that forward data to a Heavy...
View ArticleRunning a universal forwarder in low privilege mode, why am I getting error...
Our admin created me a regular domain user to test low P and assigned it these privileges: • Permission to log on as a service. • Permission to log on as a batch job. • Permission to replace a...
View ArticleHow to configure a universal forwarder to add multiple fields to events being...
We're trying to find a way to have the universal forwarder send data to the indexer essentially pre-marked with a small number of custom fields (or the like) that we can later search on. For example, a...
View ArticleInstalling a universal forwarder in low privilege mode, why am I getting...
Our admin created me a regular domain user to test low P and assigned it these privileges: • Permission to log on as a service. • Permission to log on as a batch job. • Permission to replace a...
View ArticleHow to configure proper line breaking in props.conf on the universal...
Hi beloved Splunkers, I'm currently trying to set up a data connection between one of our servers and my Splunk deployment. Unfortunately, I encountered some problems when it comes to Splunk...
View Articlecaching events to disk on Universal Forwarder
Hi! According to documentation on outputs.conf, maxQueueSize sets value for amount of RAM that queue can take when indexer is down. But I need to be able tocache large amounts of events, for example 5...
View ArticleWhy is SSL not working on our Splunk 6.3.0 Windows universal forwarder with...
We've been trying to get the Splunk Universal Forwarder for Windows (v6.3.0) to work on a Windows 2008 R2 server and we consistently get the following error. TcpInputConfig - SSL clause not found or...
View ArticleWhy are universal forwarders reporting error "Metric with the name...
Hi there, By examining the _internal logs I found the following, Metric Error: ERROR Metrics - Metric with name thruput:thruput already registered It is reported by Universal Forwarders of several...
View ArticleWhen will AIX 7.2 be supported for universal forwarders?
Hi, I see from the release notes that AIX 7.1 is supported in the current universal forwarder, but there is no mention of AIX 7.2. When will AIX 7.2 be officially supported? Has anyone tried the UF on...
View ArticleHow to configure a universal forwarder to add search-time metadata to all...
Hi Everyone, Our setup is a universal forwarder --> heavy forwarder --> indexer. I am looking to modify a universal forwarder config so I can search on static metadata in Splunk Web. For example,...
View Article