topic Re: CEF output forwarding everything from all indexes and sources in All Apps and Add-ons

CEF output forwarding everything from all indexes and sources

tlmayes — Wed, 17 May 2017 13:31:46 GMT

Trying to configure Splunk App for CEF 2.0 on Splunk 6.5.2. Our environment has clustered IDX's, and clustered SH's. I have combed the documents and installed, configured and deployed appropriately, but have missed some detail that I cannot discover.

Went thorough the process of creating a datamodel/dataset, on the clustered SH's, and then proceeded to deploy these using the App for CEF. Then installed the downloaded .spl file to (1) indexer in the cluster for testing. The receiver (destination for the CEF output) now receives 100% of all events. No filtering is occurring.

Built a single stand-alone server to look just like the production environment. Same index, apps, Datamodel, & Dataset. Only difference is that there is no system separation as in a clustered/peer model. The same receiver now receives ONLY the events outlined in the datamodel/dataset.

Stuck (and obviously missing something)

Re: CEF output forwarding everything from all indexes and sources

tlmayes — Fri, 30 Jun 2017 17:27:16 GMT

45 days now working with Splunk support on this issue, and no resolution.

Has anybody got this app to work in a clustered IDX/SH environment, and been able to do so more than once? Is easy to get it to work on a single server, but not in a clustered environment.

Re: CEF output forwarding everything from all indexes and sources

koshyk — Sat, 01 Jul 2017 09:25:28 GMT

hi mate, just to double check..

1. do you have Heavy forwarders or UF sending the data to your cluster?
2. Is the raw events cooked before it reaches Indexers?
3. Why you installing spl file in the indexer directly? I thought you have to push via cluster master-apps to indexer slaves

Re: CEF output forwarding everything from all indexes and sources

tlmayes — Mon, 03 Jul 2017 01:50:39 GMT

HF's
Yes, cooked
Maybe you can. We do not push apps to our indexers in that we do not as a normal routine install apps unless absolutely necessary/required.

Certain the installation method or process has nothing to do with this problem

Re: CEF output forwarding everything from all indexes and sources

tlmayes — Tue, 25 Jul 2017 14:11:25 GMT

Solution to the problem. Finally got support engineers on the phone. Discovered bug in the code, and an erroneous setting in one of the indexers outputs.conf.

Re: CEF output forwarding everything from all indexes and sources

tlmayes — Mon, 20 Nov 2017 00:34:05 GMT

After testing, seems the "fix" for the bug didn't work. CEF forwarding v2.0 & v2.0.1 does not work, even with developer support, on what I consider to be a simple deployment