New behavior to kill DNS lookup traffic, by default searches use https://<ip>:<port> instead of https://<FQDN hostname>:<port> To revert back to previous behavior of <hostname:port>, there is a config for 9.0.x. distsearch.conf [distributedSearch] useIPAddrAsHost=false For future releases, if sslVerifyServerName=true , then automatically useIPAddrAsHost=false ... View more

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf. Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER. For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF you have to set EVENT_BREAKER_ENABLE=true EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX> 2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf. For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just EVENT_BREAKER_ENABLE=true 3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf) 4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.   ... View more

If you have  filtering enabled that will filter more than one event e.g as follows, there is a known issue found with all 8.1.x/8.2.x and 9.0. Next 9.0.1 will have the fix. 8.0.x is not impacted.     whitelist1 = EventCode="299|342|394|500|501|528|624|627|628|629|630|644|672|4608|4610|4611|4614|4616|4622|4624|4625|4634|4647|4648|4662|4670|4720|4723|4724|4725|4726|4728|4729|4731|4732|4734|4735|4738|4740|4741|4742|4743|4756|4757|4767|4768|4769|4771|4776|4778|4779|4781|4800|4801|4904|4905|4907|4946|4947|4948|5136|5137|5140|5141"       ... View more

If useACK set to true and batch mode is on(default on) with Splunk 9.0, there is a possibility of hitting following error log messages. "Unexpected event id" "Invalid ACK received from indexer" "Got unexpected ACK with eventid" This may also lead to blocked queues on forwarding tier. autoLBVolume and autoBatch while processing an event, apply limit using raw size of the event. However if there are  raw less events ( e.g. metrics events) autoLBVolume and autoBatch will end up sending lot more events then configured limits to receiver. With autoLBVolume, it results in more than expected/configured events distributed to receivers. With autoBatch, it results in batch of lot more events than expected. That means while a batch of thousands of events being sent to receiver, at the same time some events are already getting acknowledged. Forwarder creates a list of  events to be acknowledged after successfully sending batch of events. However if the batch is in-flight over TCP layer and forwarder receives an ACKed event of the batch, it's not in the list of expected events to be acknowledged.  That leads to above ERROR. Workaround: Either set useACK=false or autoBatch=false Issue is fixed by 9.0.3 patch. Note:  After 9.0.3 upgrade, you will still see benign “Unexpected event id” log message. However there should not be following log messages. "Invalid ACK received from indexer" "Got unexpected ACK with eventid"   ... View more

Latest splunk release has new added capability that allows older events to be routed or dropped without configuring any regex expression(e.g. INGEST_EVAL). With this new capability, filtering happens during date time extraction, very early stage in the pipeline by AggregatorProcessor, it's least expensive way to dop/route older events. New config ROUTE_EVENTS_OLDER_THAN in props.conf can be added to any stanza along with Timestamp extraction configurations. Right after date/time extraction, by default events can be routed to nulllQueue by setting ROUTE_EVENTS_OLDER_THAN. ROUTE_EVENTS_OLDER_THAN = <non-negative integer>[s|m|h|d] * If set, AggregatorProcessor routes events older than 'ROUTE_EVENTS_OLDER_THAN' to nullQueue after timestamp extraction. * Default: no default Example to drop (route to nullQueue) data that is older than 30 days, set ROUTE_EVENTS_OLDER_THAN=30d [source::/Applications/splunk/var/spool/splunk] TIME_PREFIX = \d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \w+\s MAX_TIMESTAMP_LOOKAHEAD = 21 ROUTE_EVENTS_OLDER_THAN = 30d [host::foo] TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y ROUTE_EVENTS_OLDER_THAN = 30d Routing data based on dest routing key. ( index/queue/_TCP_ROUTING /_SYSLOG_ROUTING) Route data 30 days and older straight to index queue and avoid regex extraction. [host::foo] TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y ROUTE_EVENTS_OLDER_THAN = 30d queue = indexqueue Route data 30 days and older to another index [host::foo] TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y ROUTE_EVENTS_OLDER_THAN = 30d index = <30-days-and-older-index> Index and forward OR HWF specific settings Route data 30 days and older to another tcpout group [host::foo] TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y ROUTE_EVENTS_OLDER_THAN = 30d _TCP_ROUTING = <send to another cluster - OR - another tcpoutgroup> Route data 30 days and older to another syslog output group [host::foo] TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s TIME_FORMAT = %b %d %H:%M:%S %Y ROUTE_EVENTS_OLDER_THAN = 30d _SYSLOG_ROUTING = <send to another cluster - OR - another tcpoutgroup> Note :    Above configs are not applicable for HEC event endpoint as these events don't go through date/time extraction. In order to apply above routing rules on HEC events, one of the following option is required.  1. Use endpoint - services/collector/raw from the source end to undergo parsing and timestamp extraction, 2. You can also extract timestamp using /event endpoint by adding the field  :auto_extract_timestamp=true .           /services/collector/event?auto_extract_timestamp=true. Example: http://localhost:8088/services/collector/event?auto_extract_timestamp=true   ... View more

  inputs.conf [http] dedicatedIoThreads = 8 busyKeepAliveIdleTimeout = 300 #(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. ) sslServerHandshakeTimeout = 300 #(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. # Supported from M-release for cloud and on-prem 8.2.0) On-prem Splunk version 9.4.0 and above can also use auto pipeline feature that scales up queues and pipelinesets instead of hardcoded values Server.conf [general] autoAdjustQueue = true pipelineSetAutoScale = true server.conf (upto 9.3.x) [general] parallelIngestionPipelines = 2 #(never set more than 3 on indexing tier. However on SH/HF it can be set upto number of cores) #Avoid 503 response back, have enough queue buffer for spike in ingestion [queue=indexQueue] maxSize = 100MB [queue=aggQueue] maxSize = 100MB [queue=parsingQueue] maxSize = 100MB #Must for HEC [queue=httpInputQ] maxSize = 100MB OR <10% of persistent queue size if persistent queue enabled> ##Must for HEC. [queue=rulesetQueue] maxSize = 100MB [queue=typingQueue] maxSize = 100MB limits.conf [input_channels] max_inactive = 10000 #( ideally 2 times max(new_channels)) [input_channels] lowater_inactive = 9000 #( max_inactive -1000 recommended if max_inactive > 10000) indexes.conf [<PER_INDEX>] maxTimeUnreplicatedNoAcks=60 #( needed if useACK=false and indexer cluster environment)   Note: Don't set maxSize(server.conf) or queueSize(inputs.conf) more than 10% of persistentQueueSize( if persistent queue is enabled) ... View more