All Apps and Add-ons

Splunk Stream - Distributed Forwarder Management


I am successfully collecting DNS logs from some domain controllers, but I noticed the Distributed Forwarder Management isn't working how I intended. All of my clients are falling under the 'defaultgroup'. I have a group called 'infradns' configured with a regex rule of 'infradns'

My inputs.conf on my domain controllers looks like this:

splunkstreamapplocation = https://splunkserver:8000/en-us/custom/splunkappstream/
forwarderid = infradns
disabled = 0

Any ideas?

0 Karma

Re: Splunk Stream - Distributed Forwarder Management

Path Finder

Have you tried removing the infradns from the streamforwarder_id stanza in the inputs.conf?
Then restart the client instance. Go to the Distributed group you made in the Stream app and see if it appears in your available client regex area?

0 Karma