×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jcrosby21
Path Finder
Member since: ‎03-30-2016
‎09-21-2022
Community Statistics
Posts 14
Solutions 1
Karma Given 4
Karma Received 3
Member Since ‎03-30-2016
Activity Feed
View All

Re: Cloudflare logs to Heavy Forwarder - Pipeline ...

by in Getting Data In
‎09-21-2022 06:19 AM
‎09-21-2022 06:19 AM
This error was because I was sending information to the /raw endpoint on my HTTP Event Collector.  With this endpoint the HEC inputs.conf must be specifying the particular index to load the raw events into.  I mistakenly thought that the Cloudflare app would do this for me with props.conf, it has an index defined within the app, but this was incorrect.  With the other HEC endpoint the event specifies the index ITSELF so the learning was the raw endpoint requires more information in the HEC inputs.conf.  I also needed to tweak the cloudflare app's TZ (UTC) , INDEXED_EXTRACTIONS (json), and KV_MODE (none) in the applications props.conf to properly ingest once they were being placed on the index. ... View more

Re: Splunk HEC on heavy forwarder but limiting to ...

by in Getting Data In
‎06-10-2021 09:59 AM
1 Karma
‎06-10-2021 09:59 AM
1 Karma
and after writing up a whole thing laying out all the pieces I decided to reboot my forwarder just in case and now it works for me.   It would appear that while SOME things get picked up without rebooting services when working with the HEC some things probably need splunk to restart.   Thanks for the validation! ... View more

Re: How to define specific characters within angle...

by in Splunk Search
‎06-29-2016 11:33 AM
‎06-29-2016 11:33 AM
Hmm, so I had trouble putting my CSV in $SPLUNK_HOME/etc/system/lookups and my stanza in transforms.conf $SPLUNK_HOME/etc/system/local on my search head - it kept not finding my CSV for some reason - but when I moved them both under the search app I got it working in the query and was able to add a sourcetype stanza to my props.conf in the 'search' app and got the auto-lookup working. Looks pretty good. Thanks! ... View more

Re: How to handle Custom App deployed to index pee...

by in Deployment Architecture
‎04-11-2016 06:22 AM
‎04-11-2016 06:22 AM
I agree, there's not typically technical overlap between the two "types" of apps - but there is from a functional perspective. Is it uncommon to have both the inputs and the props for a given set of events custom defined in many apps? ... View more

Re: How to duplicate/clone a deployment app (Splun...

by in All Apps and Add-ons
‎04-04-2016 08:25 AM
1 Karma
‎04-04-2016 08:25 AM
1 Karma
It's worked out for our needs. We haven't upgraded the app yet, but I don't imagine much would change for the inputs between versions. And we don't really touch the apps often, only if we need to start or stop ingesting a new event id or event log, etc. And in some cases it affects all of the copies and some cases just one particular copy. ... View more

Re: Universal Forwarder "learned" sourcetype edits...

by in Splunk Enterprise
‎03-31-2016 10:19 AM
1 Karma
‎03-31-2016 10:19 AM
1 Karma
Okay, that all makes sense. I think what's throwing me with the UF's props.conf is that it appears that some things do matter for the Input stage of the pipeline: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F but MAX_TIMESTAMP_LOOKAHEAD didn't seem to make sense as it's more of a parsing thing. In the end I think it's a moot point if I'm going to leverage a deployment server and manage the props.conf on the indexer for the parsing. Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-21-2022 09:40 AM
Karma from
View All
Karma given to
View All