Hello, My goals is to send rrd file data to a splunk indexer. I have a remote host that currently forwards linux_secure data to the indexer - works fie. I am NEVER able to create an input for any port tcp or otherwise from this dialog window: When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP This setting comes from Settings/Data/Forwarding and receiving I get data to the indexer.  I may be missing something. I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host. How can I get this data to splunk and graph it? I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk, I am open to suggestions and clarification thanks eholz1   ... View more

I have installed splunk universal forwarder on a linux box. I want to forward a log file. This version (9) will not forward to my Splunk indexer. Version 8.24 does forward to my indexer. Does TLS have to be configured for version 9 to work? How can I disable the TLS requirement, or what do I have to do to get this to work?   Thanks, eholz1 ... View more

Hello Members, I have a basic question - I am not sure how to get data into splunk, into a custom index, use a source type, and then exrract fields. I have the add-0n installed for Cisco network devices, but not sure it is the correct app to use for my case. I have a remote syslog server (running rsyslog) that builds log files for cisco switches and routers. I have a universal forwarder installed on the syslog server, it forwards data to splunk IF I configure it correctly.  I have tried configuring the Splunk receiver two ways: one using the "Forwarding and receiving" option from the "DATA" area - this works - but only allows showing data from the host sending the log info. And uses only 1 port, I am using 9997. I have not seen how to set a data source or source type for the incoming data.   The second way seems to be using the "Data Inputs" part of the "DATA" area.  This seems to not be possible, as the data is coming from a Universaly forwarder not a Splunk Enterprise configured as a forwarder.   How can I assign a source type and index to the data that does come in from the host that is configured with port 997 as a receiver?  Sorry for such a confusing question, Regards, eholz1     ... View more

Hello Splunkers, Is a splunk forwarder required to send data to splunk from a switch or router? Can I configure the the device to send logs directly to the splunk like using port 514. Like in a cisco config - "logging host", etc   Thanks EWH ... View more

Hello Members, I have seen many,many posts on splunk migration. I am confused. I hope that I can get some direction on how to accomplish this correctly. Current splunk install: Windows 2012 running Splunk Ent 8.0.1 New splunk install: RHEL7 x_64 linux running Splunk Ent 8.0.3 I am going from Windws to Linux. I have seen posts where the suggestion is "copy all from $SPLUNK_HOME to the new instance" This does not quite make sense to me - and all the conf files on the Windows side will all have "non-linux" paths using the "\". I have looked at my indexes.conf file, and other conf files and they have the path expressed Windows style. I have seen another post where you stop the old instance, and copy the buckets to the new instance like this: 1. Roll any hot buckets on the source host from hot to warm. 2. Review indexes.conf on the old host to get a list of the indexes on that host. 3. On the target host, create indexes that are identical to the ones on the source system. 4. Copy the index buckets from the source host to the target host. 5. Restart Splunk Enterprise. I will assume the 5 steps above would be for all indexes, both custom (in the local directory) and default (in the default directory - i would assume that all windows paths would have to be changed to linux style in the indexes.conf file and the inputs.conf file?? I did a test with a simple index that was created just for testing. I created an indexes.conf file on the new server in the /etc/apps/search/local - revised the paths to linux. Then I copied the \var\lib\splunk\test-index directory to the LINUX machine using the forward-slash paths: "/". i then performed a search on this new index on the new server and it works fine. My basic question is if I copy all under $SPLUNK_HOME from windows do I have to change the paths? Or if I try the 5 part list above, does it just mean copy the db data from \var\lib\splunk\ to the new server /var/lib/splunk/, and edit the indexes.conf and inputs.conf files accordingly?? what about the mongo dir?? Thanks so much, Eholz1 - Eric ... View more

Hello Members, We have a requirement to come up with a hardware solution for indexing a relatively small ammount of data. 20 GB per day. I seen considerable documention on the Splunk forum and site. Most infomation is oriented towards larger amounts of data - I would assume that our disk subsystem run run an less that 800 IOPS. For reference we would have less than 4 users so we could run a combined instance. Memory would be from 32GB to maybe 128GB, and we should have 8 to 12 cores and 64 bit > 2GHz. (yes we could virtualize this deployment). I am open for tips and suggestions, Eholz1 ... View more

Hello All, I have splunk enterprise at 7.3.1 on Windows 2012 server. I am trying to configure alerts to send email. I have an smtp email server which requires no authenification. Splunk thinks it sends email with an alert but then I get the error message below: [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions while sending mail The windows firewall is off. Has anyone else seen this error message? How to fix? Thanks, eholz1 ... View more