Hi, i have a setup where a packet broker is sending multiple data streams to a universal forwarder. I need to understand if the traffic is tagged somehow from a particular source (replay a pcap file through packet broker), can I use inputs.conf with the tagged 'field' that will hopefully show a difference so i can send to a specific index or do i need to use props / transforms / outputs? thanks in advance Damindra ... View more

I want to test throughput on a Splunk setup, but I will use a Dev 10GB license, but the traffic will be nearer 6-7TB per day. I know this will go over the license limit, but I only need to test for around 10 days. I have 4 dev Licenses. Will Splunk continue to work if we just use the 10GB licenses, adding a new one every 5 days? This is a proof of concept of the hardware? We need Splunk to continue working with all its functionality during the 10 days. Any information on if this will work is very welcome. Thanks in advance ... View more

I havedeployed the Phantom OVA and setup IP and server names according to my environment. I go to https://[myphantomserver] and get: 500: Server Error Sorry, something went wrong with your request the URL: https://[myphantomserver]/eula Seems it cannot display the license page? I am using a community license edition Can anyone shed some light I have set host names in '/etc/hosts' and /etc/'hostname' files many thanks in advance ... View more

Reading from article : Does data indexed and forwarded from a heavy forwarder to indexer would charge twice? Any indexed forwarded events from a Heavy forwarded are NOT licensed twice. When Indexing and forwarding from a Heavy Forwarder, the licensing is only used at the Heavy Forwarder, since indexed Data sent to the Indexer, doesn't go through the Parsing queue (as well as the Aggregator and Typing queues). I have setup the following on my Heavy Forwarder: outputs.conf: defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = rdbrsdem03.ref.clp7.local:9997 indexAndForward=true props.conf [source::tcp:9999] BREAK_ONLY_BEFORE=^CEF\:0\| So on my heavy forwarder, I am sending indexed data to my indexer (rdbrsdem03), and it also filters all events that start with CEF:0| When I check licensing it seems as if the events ARE being indexed on both the Heavy Forwarder and Indexer. Can someone provide me with a search possibly using the 'summary' index that proves the events are only being index at the Heavy Forwarder, please? I have a developer license at the moment so would like to prove that events that need to be indexed at the Heavy Forwarder (due to local users in a remote site being able to search events of their local hardware events) and then not being reindexed (in effect doubling licensing costs) on the Indexer. Hope this all makes sense, please let me know if there is anything further you may need. kind regards Damindra ... View more