Deployment Architecture

Ask a Question

Discussions

Thread Info

Data loss HF goes down

Our set up- HF receives syslog (directly from firewalls, IPS, etc) and logs from UF (windows and linux machines) a...

by New Member in

Why some of our universal forwarder intermittently stops forwarding logs?

Hi All, Good day, would like to seek for help regarding on our universal forwarders. Some of our sources (universa...

by Communicator in

What is the best order to perform an indexer cluster migration and expansion of both Search Head cluster and Indexer cluster?

What is the best order to perform the above? Our current Splunk environment consists of 5 clustered Indexers and 4 cl...

by New Member in

How to forward data to unsplunk system?

I have configured three files outputs.conf, transforms.conf and props.conf but still I am not getting forwarded data ...

by New Member in

What does archivebuckets do on a heavyforwarder?

Hi all We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system...

by Communicator in

How to fix the searches across the reduced buckets issue for a particular index ?

Hi All, Currently we are facing an issue while performing a search against a particular index and found it was due to...

by Motivator in

Deployment server Restart

Do we need to restart Deployment server if we make any changes in Splunk\etc\apps\local\inputs.conf(xyz) and \Splunk\...

by Explorer in

how to find out if all our search heads in search head cluster environment is in sync?

Hello, We are running 6.3.3 with search head clustering and 4 search heads in the cluster. Some times users compla...

by Communicator in

Finding forwarders that are not reporting in but have in the past

Hi guys, I've been been given 2 tasks with regards to our Splunk forwarders. 1) Find out which forwarders are...

by Communicator in

Does Splunk support two search head clusters with one indexer cluster?

Does Splunk support two search head clusters with one indexer cluster? Basically we have 3 search heads clustered. we...

by Contributor in

Adding new SH cluster to existing splunk setup.

Currently we have 1 multisite indexing cluster, 1 multisite search head cluster, a deployer and a master node. Planni...

by Path Finder in

How to calculate dispatch directory size in Splunk?

Hi, I want to calculate dispatch directory size in Splunk to help in Splunk performance monitoring. Can anyone ple...

by Contributor in

Is it possible to bring new servers online into the respective pools and have them sync in such a way that we can remove the old servers one at a time?

Would it be possible to bring the new servers online into the respective pools and have them sync in such a way that ...

by New Member in

How to configure Universal Forwarder to receive UDP traffic

I am trying to forward events from my current SIEM to the Universal forwarder using UDP and port 9514. When I run a t...

by Path Finder in

Best practices to send multiple devices to a single indexer via syslog

We have a deployment with approximately 500 linux systems that are sending logs via syslog on a single indexer. In so...

by Path Finder in

Splunk performs tsidx reduction immediately on warm buckets

I've recently upgraded to Splunk 6.6.0 and now seem to be having a problem with one of my indexes; every time I searc...

by Explorer in

script doesn't run. error Couldn't start command "" Resource temporarily unavailable

I have a few sh scripts scheduled to run every few min and those stop recently, and print this error in the log. To w...

by New Member in

Deleting old Splunkd logs in Splunk forwarder

Hi, Is there any configuration in Splunk forwarder to delete old splunkd logs, metric logs etc.

by Explorer in

Splunk forwarder configured with dummy splunk server results in long pause in puppet splunk restart

I basically have roles which install the forwarder with whom I might wish to do some local testing. When testing loc...

by New Member in

Splunk 6.x and Linux? not so fast?

New 6.0.x/6.1.x installation and both Indexer and Search Head seem to have latency and not performing as expected! ...

by Splunk Employee in

Rotuing data to specific indexes

I have situtationn where i have cluster master which managed the indexer cluster . I am getiing data in load balancin...

by Engager in

How to check missing universal forwarders

Any help will be appreciated, i trying from long back how to check missing forwarders.

by Path Finder in

Splunk Db Connect with Forwaders

We want to ingest data from databases to our indexer .Would it be recommended to use heavy forwarder or UF ? Also can...

by Engager in

Cluster bucket rebalancing: How long is too long?

My first few attempts at rebalancing were pretty great. No muss, no fuss. They ran for about 12 hours and like magic ...

by Influencer in

Forwarder issue

So we are trying to design a solution and we want two layers for forwarding . At the first layer universal forwarder ...

by Engager in

Get Updates on the Splunk Community!

Deployment Architecture

Discussions

Data loss HF goes down

Why some of our universal forwarder intermittently stops forwarding logs?

What is the best order to perform an indexer cluster migration and expansion of both Search Head cluster and Indexer cluster?

How to forward data to unsplunk system?

What does archivebuckets do on a heavyforwarder?

How to fix the searches across the reduced buckets issue for a particular index ?

Deployment server Restart

how to find out if all our search heads in search head cluster environment is in sync?

Finding forwarders that are not reporting in but have in the past

Does Splunk support two search head clusters with one indexer cluster?

Adding new SH cluster to existing splunk setup.

How to calculate dispatch directory size in Splunk?

Is it possible to bring new servers online into the respective pools and have them sync in such a way that we can remove the old servers one at a time?

How to configure Universal Forwarder to receive UDP traffic

Best practices to send multiple devices to a single indexer via syslog

Splunk performs tsidx reduction immediately on warm buckets

script doesn't run. error Couldn't start command "" Resource temporarily unavailable

Deleting old Splunkd logs in Splunk forwarder

Splunk forwarder configured with dummy splunk server results in long pause in puppet splunk restart

Splunk 6.x and Linux? not so fast?

Rotuing data to specific indexes

How to check missing universal forwarders

Splunk Db Connect with Forwaders

Cluster bucket rebalancing: How long is too long?

Forwarder issue

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Optimizing indexing queue and question about the m...

Setup Splunk on AWS Elastic Beanstalk

CMMC Version 2.0

Stream forwarder only works when running as root

Search Cluster Overwriting etc/system/local/inputs...