[1pm PT / 4pm ET] - Register here and ask questions below. This thread is for the Community Office Hours session on Getting Data In (GDI): Forwarders & Edge Processor on Wed, August 23, 2023 at 1pm PT / 4pm ET.
This is your opportunity to ask questions related to getting data into Splunk Platform using forwarders or Splunk Edge Processor. Including:
Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).
Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.
Look forward to connecting!
Hey Everyone,
Don't forget to submit your questions at registration! You can also post a comment here for any topics you'd like to see discussed in the Community Office Hours session, or head to the #office-hours user Slack channel to ask questions and join the discussion (request access here).
First off, thanks so much for putting this together!
My main issue so far with the EP is configuring TLS to work when performing the initial configuration of a processor. According to the documentation I can use the Splunk Forwarder certs that I downloaded from the Splunk Cloud platform and place them in the Server Key/Server Cert/CA Cert sections of the Edge Processor config. There are two problems I run into when I do this:
1. I get the error -
There was a problem creating your new Edge Processor.
INVALID_SERVER_PK_PEM_FORMAT (I can confirm that the files are in PEM format)
2. The other issue is (I think) that the outputs.conf would need to be updated to reflect the architecture change (UF/HEC -> Splunk Cloud to UF/HEC -> EP -> Splunk Cloud). Would that be done after the cert config is completed?
Expert Solution:
Thank you! I did discover before the session began that the issue was related to a number of intermediate certs contained in the PEM file. Once I removed those the import worked properly.
Great! Glad you figured it out. I also posted the session recording in the #office-hours if you'd like to rewatch the experts talk through it.
Cheers,
Baylie
Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):
Q1: Can Forwarder be on the same server as Splunk? Do you need forwarders for security monitoring?
Q2: How do you ingest logs from linux auditd into your Splunk app for processing?
Q3: Why am I having blocked queues? How do I troubleshoot blocked queues that are preventing data from being indexed?
Q4: What’s the difference between "search in" vs "search IN"?
Q5: How do you configure Edge Processor servers and where? In cloud or in our HF(LAN)?
Q6: How can I set up Edge Processor as a service?
Other Questions (check the #office-hours Slack channel for responses):
Hello, I would like to have access to the video in https://splunk-usergroups.slack.com/