All Apps and Add-ons

Why is the Splunk Add-on for Citrix NetScaler not parsing syslog data correctly in my distributed search environment?

rusty009
Path Finder

Hi,

I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I have the Splunk Add-on for Citrix Netscaler installed and all the data is being indexed correctly. The HF forwards data to my indexer and the data is coming in fine, but it has not been parsed correctly. I initially didn’t have the Splunk Add-on for Citrix Netscaler installed on the indexer so though this was the issue, so I installed it, but there is no change. Does anyone know what’s happening here? I though the HF forwarded the indexed data?

0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

View solution in original post

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

View solution in original post

rusty009
Path Finder

thank you, this worked. But I don't understand why. The parsing has happened long before I search for it in the search head, why does the sourcetype need to be on the search head ?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Glad it worked. Installation on search heads is required because the add-on also includes search-time operations such as calculated fields, field alias, and search-time field extractions. In fact, this is true for all add-ons as far as I know. Thanks!

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!