Hello @gcusello, I tried your solution but it is not working...  In the fields.conf the [foo] stanza should be [hf] here right ?  Do we agree that afterwards, I should see the hf fields/value when I do a search right ? Thanks a lot, GaetanVP  ... View more

Ok thanks @gcusello, I will try to use the answer you gave above Bye, GaetanVP ... View more

Hi again @PickleRick, thanks again for all those information (you even made me laugh with the last sentence) ! So basically for the above Palolo use case, how would you have done it ? ... View more

Hello @gcusello, yes understood. But in my use cases I am talking about logs coming directly from udp or tcp, not from UF. For instance in the Palo Alto documentation, it is literally said to configure this udp or tcp input (via GUI or CLI) to forward data from Panorama instance to Splunk Indexer or HF : https://splunk.paloaltonetworks.com/firewalls-panorama.html#gui So here, if I do not want to have a Single Point Of Failure, I need to have a load balancer between the Panorama machine and my 2 HF listening for incoming network logs. I also cannot tell my Panorama to send the logs to the two HF otherwise I would end up with  duplicated events. Thanks for your time, GaetanVP   ... View more

Thanks @PickleRick, All clear for your first parameter, good to know ! For the second parameter, I  am not sure to understand. I have many use cases where a network appliance (where UF cannot be installed) can send udp or tcp logs on a specific port. So  instead of targeting a  unique HF I target a F5 virtual IP and then load balance to my two Splunk HF - it keeps protocol and port. What is wrong with that approach ? As far as I know Splunk does not provide a HA feature for HF listening to incoming network data. Also I see a lot of Splunk Add-On that needs to be installed on a HF to just pull data from  Network Appliances but with that pulling mechanism, you always end up with your HF being a Single Point of Failure... I made this post in the past where we discussed about pulling limitation : https://community.splunk.com/t5/All-Apps-and-Add-ons/Multiple-HF-for-one-Event-Hub-Splunk-Add-on-for-Microsoft-Cloud/m-p/622370 Thanks a lot for always sharing your knowledge!   ... View more

Hello @gcusello, Ok it means I cannot have a generic inputs.conf to be deployed on both HF right ? Because HF1 is basically an hardcoded value, there is not Splunk variable to say "for this fields look at the hostname of the machine itself" right ?   If I want to add the metadata to all my logs I can create the inputs.conf files in /ect/systen/local path of the HFs ? The [default] stanza will apply to all logs ? I've never worked with fields.conf... I will take a look at it thanks ... View more

Thanks for all those info ! One last question, when you mentioned " Syslog server  (Rsylog or SyslogNG) to listen to TCP/UDP ports and writes to a file, HF monitors this file and ingests data"  Does the HF and the Syslog server would be on the same machine ?   ... View more

Hello @scelikok, thanks but I am not sure to understand How does the src port impact the data flow ? I configured f5 to forward data to a specific port on  the HF, and I configured the HF to listen on that port. Why would F5 retry to connect to HF with a different source port ?  Thanks ... View more

Hello @PickleRick,  thanks for your answer This give details about settings precedence but I understand there is no possibility to combine stanza Regards, GaetanVP ... View more

Hello @jamie00171, This can be very useful in my use case, not exactly what I had in mind but it seems to be a real Splunk limitation ! Thanks for your answer, GateanVP   ... View more

Hello @isoutamo, Okok, indeed I would like to avoid clone sourcetype but I will keep that in mind if needed. Thanks a lot, GaetanVP ... View more

Hi @jesusnoya15 , I also had this problem because I was using my email address instead of my Splunk username. Be sure to use your username... Regards, GaetanVP ... View more

If Splunk is running : you can find the user running Splunk using  ps -aux | grep -i Splunk And find which user is running the process If Splunk is not running : you can check who owns the $SPLUNK_HOME folder (usually under /opt/splunk) As @richgalloway mentioned, you can try this command o be sure the user that will run Splunk has the ownership of the install path : chown -R <user_meant_to_run_splunk> /opt/splunk   Good luck! ... View more

Hello @satyaallaparthi, Even if you have a lot of indexes and sourcetypes, I would advice you to specify them in the query (or create eventtypes to group hosts or sourcetype) in order to have a wrapper and keep the query easy to read. The index=* makes always searches really slow. I also think that you could use the "Fast Mode" for your research if you didn't already. Let me know if that helped ! Good Luck     ... View more

Wow I've never saw this parameter before... thanks a lot ! Worked as expected when I removed the line. Regards, GaetanVP ... View more

Hello @gcusello, Good guess, I indeed have "Permission denied" in some WARN message (failed to open for checksum - for a .gz file) But I also have the following string "Reason: cannot_open" (this time it is for a single file)  I suppose there is different string to search based on the type of files / folder, but your answer helped, thanks ! GaetanVP ... View more