About knystrom

knystrom · ‎04-18-2020

I managed to create an CEF output via the GUI and defining crap for data models, data sets etc but the output can only use TCP. Is it possible to reconfigure the output I created to use UDP instead? I am using Splunk 8.0.3, Splunk Add-on for CEF output 2.3.0, Splunk App for CEF 2.3.0 and Diode Sender 1.3.5

knystrom · ‎04-15-2020

Sorry for being unclear, by sending to the Diode Receiver Add-on I meant through the Diode Sender Add-on. Perhaps jumbo frames will make sure that any event will fit in an outgoing UDP packet? I have tried using the CEF Add-on but am a bit unsure of how to configure a data model to match any data in the main index and it seems to be necessary in order to configure a CEF output. Is it possible to configure an output without the hassle of data models and data sets?

knystrom · ‎04-14-2020

Hi, I am trying to send events in a specific index, regardless of sourcetype, to the Diode Receiver Add-On but cannot really get it to work. Setting up the add-on using [default] stanza in props.conf matches events in ALL indexes including _internal and that really makes a mess of the main index in the receiver. I tried using the CEF Add-On but I'm not sure how to configure the routing for cefout. Can it even be configured to send UDP? This is all done in a test environment without a hardware diode for easy troubleshooting but the goal is to set up two splunk servers separated by a UDP-only-diode and have the main index in both servers contain the same information.

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎03-14-2012

Online Status	Offline
Date Last Visited	‎10-30-2023 10:47 AM

Matching specific index

Re: Matching specific index

Re: Matching specific index

Matching specific index

Join the Conversation

Matching specific index

Re: Matching specific index

Re: Matching specific index

Matching specific index