All Apps and Add-ons

Why is the Splunk Add-on for Citrix NetScaler not parsing syslog data correctly in my distributed search environment?

rusty009
Path Finder

Hi,

I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I have the Splunk Add-on for Citrix Netscaler installed and all the data is being indexed correctly. The HF forwards data to my indexer and the data is coming in fine, but it has not been parsed correctly. I initially didn’t have the Splunk Add-on for Citrix Netscaler installed on the indexer so though this was the issue, so I installed it, but there is no change. Does anyone know what’s happening here? I though the HF forwarded the indexed data?

0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

View solution in original post

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

rusty009
Path Finder

thank you, this worked. But I don't understand why. The parsing has happened long before I search for it in the search head, why does the sourcetype need to be on the search head ?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Glad it worked. Installation on search heads is required because the add-on also includes search-time operations such as calculated fields, field alias, and search-time field extractions. In fact, this is true for all add-ons as far as I know. Thanks!

Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...