I encounter this as well when running splunkforwarder on kubernetes cluster as daemonset. This was solved by mounting the volume to /opt/splunkforwarder-etc/ instead of /opt/splunkforwarder. It seems that all the local/custom configuration should be implemented on /opt/splunkforwarder-etc/
... View more
You can use the below sourcetype. (Or the default pretrained "json" sourcetype)
[data_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
category = Structured
... View more
Hi, this was be solved on my environment by applying the below config on outputs.conf on your HeavyForwarder.
[tcpout]
negotiateProtocolLevel = 0
Once applied, you need to restart splunk service.
... View more
Even admin and other privileged users can have a lock out policy. There is a capability inside roles management named "never_lockout". You just have to removed it under the "admin" default role.
... View more