All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the Splunk Add-on for Citrix NetScaler not parsing syslog data correctly in my distributed search environment?

rusty009
Path Finder
‎07-19-2016 02:16 AM

Hi,

I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I have the Splunk Add-on for Citrix Netscaler installed and all the data is being indexed correctly. The HF forwards data to my indexer and the data is coming in fine, but it has not been parsed correctly. I initially didn’t have the Splunk Add-on for Citrix Netscaler installed on the indexer so though this was the issue, so I installed it, but there is no change. Does anyone know what’s happening here? I though the HF forwarded the indexed data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hunters_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 03:02 AM

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

hunters_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 03:02 AM

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

Reply
Solved! Jump to solution

rusty009
Path Finder
‎07-19-2016 07:36 AM

thank you, this worked. But I don't understand why. The parsing has happened long before I search for it in the search head, why does the sourcetype need to be on the search head ?

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎07-20-2016 06:07 AM

Glad it worked. Installation on search heads is required because the add-on also includes search-time operations such as calculated fields, field alias, and search-time field extractions. In fact, this is true for all add-ons as far as I know. Thanks!

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...