How to use a heavy forwarder to collect asset and ...

jgorman_THG · ‎12-18-2016

HI!

I'm following the following directions to try and set up assets and identities for Splunk Enterprise Security on Splunk Cloud through a heavy forwarder.

https://www.hurricanelabs.com/blog/gathering-ldap-identity-data-with-splunk-cloud

The instructions say to set up a saved search on the Heavy Forwarder and have it populate a summary index. However, I am unable to schedule searches on the Heavy Forwarder and get the message:

The search scheduler is disabled by
the license Splunk is using. Scheduled
searches that populate a summary index
were found, but they will not be
executed. This might affect dashboard
panels that depend on the summary
index.
[!/help?location=learnmore.license.features
Learn more]

Does anyone have any tips on what I am missing?

Thanks,

JG

amir_ma · ‎01-05-2021

Hi I am using free trial of splunk I am dealing with this problem too with universal or heavy forwarder and I can't even open a ticket.

Thanks

esix_splunk · ‎12-18-2016

Open a ticket with Support, and explain what you are trying to do. They will get you a 1mb license that enables the deployment server and other enterprise features. (These are available for 30 days after installing, but then rolls to limited license.)

How to use a heavy forwarder to collect asset and identity information for Splunk Enterprise Security on Splunk Cloud?

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud