...ot stall? If I look at the spec of outputs.conf, for me it's not fully clear what happens when I write to the socket and the destination is unreachable: * When set to "false", the forwarder c...
I understand that the best practice is to disable local indexing and forward data from the search heads, cluster master, the deployment servers, etc to the indexers. The syntax for outputs.conf I s...
Hi Experts,
We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.
The 4th app has a different indexer IP.
All 3 apps are able t...
The outputs.conf.spec shows a default value of "auto". The Splunk Universal Forwarder version is 6.2.3 on RHEL 6.6. What is the algorithm used to determine the amount of memory to use? I have OS p...
Hello
I got a strange error as:
Checking conf files for typos...
Possible typo in stanza [indexAndForward] in /opt/splunk/etc/apps/linuxForwarder_output/default/outputs.conf, line 8: s...
Hi!
We have a environment which has two HA none clustered splunk servers.
We are considering to gather firewall logs but the firewall can send to
only single splunk server. To send it to splu...
Is the Universal Forwarder sending one line at a time?
Is there such a setting?
Is there sending multiple lines at once?
I read the manual but I could not find the description.
And,
When ...
Let's say if I have 4 indexers at one site 'AB' and 4 indexers at another site 'CD'(DR site).
site_replication_factor=origin:2,total:3
site_search_factor=origin:1,total:2
Question :1 I underst...
What does it actually mean and what are its use cases? Is this different from autoLfrequency?
From Docs, I can infer that if sendCookedData=true, then it should be enabled. What is the relation bet...