I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk.
Intermediate UF IP 10.0.1.18
Splunk IP 10.0.1.65
Here are the conf file info:
First UF:
inputs.conf
[default]
host = SP-DB
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.18:9997
[tcpout-server:// 10.0.1.18:9997]
Intermediate UF:
inputs.conf
[default]
host = SPLUNK2
[splunktcp://:9997]
compressed = true
disabled = 0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.65:9001
[tcpout-server://10.0.1.65:9001]
... View more
Here is my SPL, what am I doing wrong?
|tstats count from datamodel=Authentication where ([|inputlookup threatconnect_ip_indicators.csv | fields ip | rename IP AS Authentication.src]) by Authentication.src, Authentication.user, Authentication.dest, Authentication.action
|rename Authentication.src as SRC, Authentication.user as USER, Authentication.dest as DEST, Authentication.action as ACTION
|table USER SRC DEST ACTION count
... View more