Hi All, Our Search heads are with Splunk Cloud version 8.2.2203.2 and there is a requirement from our application team to use StreamProcessor Service that is part of Splunk offering (Ref: h...
I am operating in an environment with a standalone Splunk Enterprise instance running v8.1.3 on RHEL. In my environment I have around 350 Universal Forwarders that have been up and running f...
The purpose of this topic is to create a home for legacy diagrams on how indexing works in Splunk, created by the legendary Splunk Support Engineer, Masa! Keep in mind the information and diagrams i...
I am collecting Sysmon logs via Splunk UF in XML format (renderXml=true). I need to forward some specific Sysmon events to QRadar without XML formatting. I would like to keep sending all Sysmon e...
The inputs.conf documentation describes a requireHeader setting for TCP inputs:
requireHeader = bool
Require a header be present at the beginning of every stream.
This header may be u...
We have a Universal Forwarder that is sending a huge amount of data. We need to only index events that contain any of these words-- "EnvisionResponse" or "EnvisionRequest" or "T...
Hello Splunkers,
I am currently using a F5 load balancer in front of two HFs that are used as intermediate forwarders and also doing the parsing jobs for incoming data.
I would like t...
Hi, which is the best practice to ingest data from external (internet-based) data sources, when only syslog or native forwarding are available? A set of load-balanced heavy forwarders in DMZ, that w...