oh ok great thank you. ... View more

@sbbadri thanks this resolved my problem i deleted the unwanted app from master-apps directory and did a distributed push and it was succesful. One more question after i redistribute the bundle which has config changes do i need a reboot for both indexers/peers or no ? ... View more

Thank you i will try this and update you tomo. I have uploaded the unwanted app into master-apps and in slave-apps tomo i will delete the app from cluster master and then try distributing the bundl again. ... View more

Thanks Even when I run index=* | stats count by IP _raw I do see multiple logs for the same IP. Is this Duplication? ... View more

Thanks I figured out remote logs are received via syslog and then written to a local file on the indexers and monitored locally in our case. And we do have a f5 load balancer before the indexer cluster ... View more

Thanks! when i run index=* | stats count by host _raw i do see multiple logs for same ip however the count is 1 ... View more

From the query and the results that i told you earlier do you mean to say we have duplication of data issue? and I checked the f5 config we have both our indexers mapped to a virtual IP and all the monitored hosts like FWs and switches have this VIP entry in their logging for syslog setup. ... View more

Thanks I ran index=* | stats count by _raw | where count>1 for last 24hrs and I see more than 4 hundred thousand events. We do have a f5 load balancer before the indexer/syslog cluster and I do not know why our previous splunk admin set the indexers and syslog servers on same box. ... View more

ok, sure I will thank you very much for all your help very grateful. ... View more

Thank you, from the below output I guess it is just forwarding to 3 & 4 and not doing indexing as I see index = false. [root@splunk02 bin]# ./splunk btool outputs list [indexAndForward] index = false [syslog] dropEventsOnQueueFull = -1 maxEventSize = 1024 priority = <13> type = udp [tcpout] ackTimeoutOnShutdown = 30 autoLBFrequency = 30 blockOnCloning = true blockWarnThreshold = 100 compressed = false connectionTimeout = 20 defaultGroup = primary_indexers disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 forceTimebasedAutoLB = false forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = false heartbeatFrequency = 30 indexAndForward = false maxConnectionsPerIndexer = 2 maxFailuresPerInterval = 2 maxQueueSize = 7MB readTimeout = 300 secsInFailureInterval = 1 sendCookedData = true sslQuietShutdown = false tcpSendBufSz = 0 useACK = true writeTimeout = 300 [tcpout:primary_indexers] server = splunk03:9997, splunk04. :9997 I am wondering why my prev admin chose to forward data from estreamer to splunk02 i.e. our enterprise security server rather than directly to the indexers. Is there any added benefit for forwarding estreamer to enterprise security Splunk rather than indexers first? ... View more

Thanks a lot once again. for Question 5: Under settings > Data > Forwarding $ Receiving > Forward data > Configure forwarding > I do see names of my indexers:9997 (splunk03:9997 & splunk04:9997) status as enabled which means it is forwarding I guess. Sorry but I did not get your statement "unless the inputs have indexAndForward enabled" how do I check this index & forward? ... View more

Thank you very much for your quick help. Sorry I am new to splunk Can you elaborate on Question no. 1 I ask again because we have a lot of performance issues our searches are slow. & Question 3 I read the doc thanks and I think below is our scenario Distributed mode Yes Indexer clustering yes Search head clustering Not relevant Monitoring Console options The master node. If preferred, you can instead run the Monitoring Console on a dedicated search head not used for other purposes. So does this mean I should install DMC on our master server? one more question Question 5) All our Router, Switches, FWs, forward data directly to our Syslog servers which are nothing but our indexers 3 & 4 but our estreamer i.e. Cisco IPS/Firepower manager forwards data to Splunk 02 server i.e. our Enterprise Security app search head now I want to know whether Splunk 02 does the indexing of data on its own or does it forward it to indexers 3 &4 for indexing and then request it back during searches. ... View more

Thank you this helps. ... View more

Thank you very much for your help ... View more

Thanks for your help ... View more

Thanks for the reply I have 5 asterixs * * * * * in the Cron schedule box. Should I ignore the other box which has */10 in the auto_summarize.cron_schedule ? ... View more

Thanks for the quick help. I do not understand 1) What do the 5 stars in cron schedule * * * * * mean? and the auto_summarize.cron_schedule is */10 * * * * does this mean the search is scheduled to run every 10mins? ... View more