I think you could also have a multi site cluster with one site and one indexer ... View more

Yes I just checked and found an error message starting with "ERROR UiAuth - user= action=login status=failure reason=sso-strict-but-wrong-ip" does this mean, I need to add a ip to web.conf trustedIP? ... View more

Thanks for you comment. I read similar, but I also read that Forwarding at least should work. As I said, we are just receiving Application Logs from that host - this works fine. But only no Security or System logs. (inputs.conf is fine) ... View more

I guess you installed the Splunk CIM Addon? In this case, about all Events containing the word "error" or similar words will get the tag "error". This is defined by a serach in the eventtypes.conf of the Splunk CIM AddOn: [err0r] search = NOT sourcetype=stash (error OR failure OR fail OR failed OR fatal) NOT "not an error" #tag = error and tags.conf: ## error [eventtype=err0r] error = enabled ... View more

Is the data only missing in the app or in general Splunk environment? ... View more

Do you also have an inputs.conf on your indexer with [splunktcp://9997] disabled = 0 ? What does the splunkd.log say of indexer and forwarder? What is the output of: on indexer tail -n100 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR or on the Forwarder tail -n100 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR ... View more

Referring to your outputs.conf: Add forwardedindex.0.whitelist = .* to your outputs.conf [tcpout:default-autolb-group] stanza and restart the Forwarder. You just telling Splunk to forward, but not what to forward. By this setting Splunk forwards everything. If there is still nothing coming it it could also be a firewall problem. ... View more

Wehre die you her tue error Message? Splunk process loggs to SPLUNK_HOME/var/log/splunk/splunkd.log this is the most common splunk log to look for errors. But also the other logs in that directory might be intresting. ... View more

How do you try to launch the app? Splunk Add-on for Apache Web Server is a TA, so it does not have a GUI App interface. But sourcetypes should be available in the sourcetype overview or when you try to add an input. [ui] is_visible = false ... View more

As I can only tell from your information, there must be some missing permissions. E.g. if Splunk tries to write in a file or directory, but does not have the permission to edit this file. Some more information would be helpful. Which user ist the owner of Splunkd process? Which user installed Splunk? What is the full Error message? I think there must be a whole Error message in the log, saying what file or path Splunk tried to edit. ... View more

If you just configured the Windows Log collection with the TA, it might be possible (depending on your configurations in inputs.conf) that the Windows TA starts indexing from the oldest Windows Events. e.g. if your inputs.conf includes: start_from = oldest current_only = 0 Windows Event Logs can be very large, so it might take some time to index all the old log files. In your case I would just wait for one or two days and that check the latency again. If this is not the problem and you also have problems with other logs latency, it can be also problems with the hardware references: https://docs.splunk.com/Documentation/Splunk/7.2.4/Capacity/Referencehardware but I can only suggest from far. Hope this helps! ... View more

I think you can use the restmap.conf to disable the restapi e.g. with acceptFrom acceptFrom=<network_acl> ... * Lists a set of networks or addresses to allow this endpoint to be accessed from. * This shouldn't be confused with the setting of the same name in the [httpServer] stanza of server.conf which controls whether a host can make HTTP requests at all * Each rule can be in the following forms: 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32") 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com") 4. A single '*' which matches anything * Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network. * Defaults to "*" (accept from anywhere) Find the docu here: https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Restmapconf Hope this helps! ... View more

You can finde a documentation about capabilities here. there are even some capabilities for the rest api e.g. dispatch_rest_to_indexers https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf?utm_source=answers&utm_medium=in-answer&utm_term=authorize.conf&utm_campaign=refdoc ... View more

Note: Peers are per default only configured to be offline for 60s. Guess you can change this setting in a conf file. When taking single peers down, make sure the replication and search factor is still met. ... View more

I got a question considering your case with over 1000 db onboarding. How many server with DB Connect AddOn did you need for that? Just heard that one DB-connect Indexer/Heavy Forwarder can handle about 70 connections depending on environment and logs. ... View more

Yes, I fully agree with you. Just looking for the safest solution to this problem for our customer 😛 ... View more