All Apps and Add-ons

CEF output forwarding everything from all indexes and sources

Communicator

Trying to configure Splunk App for CEF 2.0 on Splunk 6.5.2. Our environment has clustered IDX's, and clustered SH's. I have combed the documents and installed, configured and deployed appropriately, but have missed some detail that I cannot discover.

Went thorough the process of creating a datamodel/dataset, on the clustered SH's, and then proceeded to deploy these using the App for CEF. Then installed the downloaded .spl file to (1) indexer in the cluster for testing. The receiver (destination for the CEF output) now receives 100% of all events. No filtering is occurring.

Built a single stand-alone server to look just like the production environment. Same index, apps, Datamodel, & Dataset. Only difference is that there is no system separation as in a clustered/peer model. The same receiver now receives ONLY the events outlined in the datamodel/dataset.

Stuck (and obviously missing something)

Tags (1)
0 Karma
1 Solution

Communicator

Solution to the problem. Finally got support engineers on the phone. Discovered bug in the code, and an erroneous setting in one of the indexers outputs.conf.

View solution in original post

0 Karma

Communicator

Solution to the problem. Finally got support engineers on the phone. Discovered bug in the code, and an erroneous setting in one of the indexers outputs.conf.

View solution in original post

0 Karma

Communicator

After testing, seems the "fix" for the bug didn't work. CEF forwarding v2.0 & v2.0.1 does not work, even with developer support, on what I consider to be a simple deployment

0 Karma

Super Champion

hi mate, just to double check..

1. do you have Heavy forwarders or UF sending the data to your cluster?
2. Is the raw events cooked before it reaches Indexers?
3. Why you installing spl file in the indexer directly? I thought you have to push via cluster master-apps to indexer slaves

0 Karma

Communicator
  1. HF's
  2. Yes, cooked
  3. Maybe you can. We do not push apps to our indexers in that we do not as a normal routine install apps unless absolutely necessary/required.

Certain the installation method or process has nothing to do with this problem

0 Karma

Communicator

45 days now working with Splunk support on this issue, and no resolution.

Has anybody got this app to work in a clustered IDX/SH environment, and been able to do so more than once? Is easy to get it to work on a single server, but not in a clustered environment.

0 Karma