Activity Feed
- Posted how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Tagged how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Tagged how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Tagged how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Tagged how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Tagged how Independent stream forwarder app on Linux machine, forwards netflow data to Indexer's in clustered environment? on All Apps and Add-ons. 05-06-2019 04:39 AM
- Posted Re: Reduce index period for old Index on Splunk Search. 05-06-2019 03:24 AM
- Posted Reduce index period for old Index on Splunk Search. 05-01-2019 10:42 PM
- Tagged Reduce index period for old Index on Splunk Search. 05-01-2019 10:42 PM
- Tagged Reduce index period for old Index on Splunk Search. 05-01-2019 10:42 PM
- Tagged Reduce index period for old Index on Splunk Search. 05-01-2019 10:42 PM
- Posted Re: Streamfwd is not forwarding netflow v9 data to SH on Getting Data In. 05-01-2019 10:14 PM
- Posted Streamfwd is not forwarding netflow v9 data to SH on Getting Data In. 04-30-2019 11:30 AM
- Tagged Streamfwd is not forwarding netflow v9 data to SH on Getting Data In. 04-30-2019 11:30 AM
- Tagged Streamfwd is not forwarding netflow v9 data to SH on Getting Data In. 04-30-2019 11:30 AM
- Tagged Streamfwd is not forwarding netflow v9 data to SH on Getting Data In. 04-30-2019 11:30 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-06-2019
04:39 AM
Hi!
The Splunk environment has 2 Indexers (Clustered) and 1 Search Head.
There is a dedicated Linux machine which is forwarding the NetFlow data received on port 9998,
to the indexers.
The streamfwd.conf is set like below:
[streamfwd]
httpEventCollectorToken = 06e31ecb-61e7-4f5d-bf7e-5651dbbc125a
ipAddr = 0.0.0.0
indexer.0.uri = http://10.23.0.14:8088
indexer.1.uri = http://10.23.0.15:8088
netflowReceiver.0.ip = 11.23.112.13
netflowReceiver.0.port = 9998
netflowReceiver.0.decoder = netflow
logConfig = streamfwdlog.conf
dedicatedCaptureMode = 0
netflowReceiver.0.protocol = udp
netflowReceiver.0.decodingThreads = 16
netflowElement.0.id = 258
tcpServer.0.address = 11.23.112.13
tcpServer.0.port = 80
The data is being sent to both Indexers.
But around 97% of the data is being sent to Indexer no. 2.
Is there any logic how the streamfwd sends which data to which Indexer,
or does it need to send all the data to both the Indexers?
How does streamfwd work in clustered environments?
Thanks a lot.
... View more
05-06-2019
03:24 AM
Thanks a lot.
Confirmed with the Analyst. Your assumption was right.
The old data was injested a few months ago.
Thanks for the tip on best practice as well.
... View more
05-01-2019
10:42 PM
Hi All,
We had an index named axo, which is around 3 years old and had around 300 GB of data.
Now we have decided to reduce the index size, by retaining only the latest 90 days of data.
We have updated the "frozenTimePeriodInSecs = 7776000" in /opt/splunk/etc/system/local/indexes.conf.
We also ran btool command (./splunk cmd btool indexes list) to see if there are mutiple .conf files.
But in the btool result as well, we observed "frozenTimePeriodInSecs = 7776000" was correct.
When we do the search, we still see the old data of the past 2 years.
Is the method of reducing the size of index correct?
Do we need to follow any other method? Please guide.
PS: "maxHotSpanSecs = 7776000"
Thank you.
... View more
05-01-2019
10:14 PM
Thanks for the reply.
Did you configure the Streams after configuring the streamfwd?
Yes, we have configured the streams and enabled "netflow" stream.
By default we have selected all the 154 fileds in "netflow" stream.
"Configuration-->Distributed Forwarder Management" - define your groups to target
Unable to find the 'streamfwd' here, under "Matched Forwarders".
(Initially, we added to 'default group', but later created a new group as well.)
Could there be any issues with the 'streamfwd' installation with curl?
any manual configuration updates are required in inputs.conf and streamfwd.conf?
Thanks a lot.
... View more
04-30-2019
11:30 AM
Hi All,
Installation of Splunk Stream App on the Search Head was done.
Using curl, the streamfwd was installed on Linux machine.
Later HEC was enabled and the token was updated in indexers through cluster master.
The environment has 1 Search head, 2 Indexers, 1 Cluster Master, and 1 Deployment server.
All servers are windows servers. Only the streamfwd machine is a Linux machine.
Netflow data is being received on port 9999.
We have also configured the inputs.conf and streamfwd.conf based on instructions on Splunk docs.
But we do not see any data ingestion.
We confirmed data being received on port 9999 by tcpdump commands.
Thank you.
... View more
