All Apps and Add-ons

Why is the Splunk Add-on for Citrix NetScaler not parsing syslog data correctly in my distributed search environment?

rusty009
Path Finder

Hi,

I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I have the Splunk Add-on for Citrix Netscaler installed and all the data is being indexed correctly. The HF forwards data to my indexer and the data is coming in fine, but it has not been parsed correctly. I initially didn’t have the Splunk Add-on for Citrix Netscaler installed on the indexer so though this was the issue, so I installed it, but there is no change. Does anyone know what’s happening here? I though the HF forwarded the indexed data?

0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

View solution in original post

hunters_splunk
Splunk Employee
Splunk Employee

Installing the add-on on indexers is not required if you use heavy forwarders to collect data. Data parsing should have already been done on the HF side. If like you said, the data has already been parsed correctly on the HF, the index does not need to perform additional parsing on the forwarded data.
Have you also installed the add-on for Citrix NetScaler on the search head, which is required? Also, make sure that you turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Hope it helps. Thanks!

rusty009
Path Finder

thank you, this worked. But I don't understand why. The parsing has happened long before I search for it in the search head, why does the sourcetype need to be on the search head ?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Glad it worked. Installation on search heads is required because the add-on also includes search-time operations such as calculated fields, field alias, and search-time field extractions. In fact, this is true for all add-ons as far as I know. Thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...