ok, i think i got it 🙂 if i want to make parsing in HF I just need to copy the configuration files from default files. ... View more

I had the same problem until I registered the forwarders with the Splunk Enterprise instance (ostensibly for configuration control). Though this step is described as an optional convenience (without explicitly saying so), it turns out to be absolutely necessary: without it, the Splunk Enterprise instance won't see the forwarders even though it's listening for them! On the receiver, enable listening using: # /opt/splunk/bin/splunk enable listen <port> -auth <splunkusername>:<password> On each forwarder, designate the receiver using: # splunk add forward-server <hostname or ip_address>:<listening port> [-auth <splunkusername>:<password>] On the receiver, register the forwarders: # splunk set deploy-poll <hostname or ip_address>:<management port> ... View more

The LogFormat is used to output the access log in Apache, so that is required. The log format supplied in the documentation is the order in which the Apache add on will expect the log data to appear in the log file. You can confirm this by looking at the props.conf/transforms.conf inside the application, it will likely be expecting the data to appear in a particular order...(and it will expect information like user agent to be included in the data). ... View more

I suppose with "Splunk Cloud" you're referring to the Splunk SaaS service. Then your data leaves your network and passes on to the Internet. I would carefully consider about the security implications. If every server has a forwarder connecting directly to the cloud, you need to open up a lot of holes in your firewall and it's difficult to control the traffic flow. Best practice (from my point of view) is having a forwarder (or pair of, if redundancy matters) at the edge of your network (maybe in a dedicated DMZ zone), used as intermediate between your network and the cloud. Allows you to isolate the servers in your network from the Internet (and vice versa). I wouldn't allow internal machines to directly open connections out of the network. Having forwarders on each server might be more reliable. As an example, transporting data via forwarders is more reliable then sending them over UDP syslog or polling them via WMI. Thus I would consider deploying universal forwarders on each server, let them forward to the heavy (intermediate) forwarders at the edge of your network and send to the cloud from there. The intermediates could also be used as deployment server to keep the configuration of all the universal forwarders in sync. ... View more

Was a case created in your customer portal in Splunk? Or were e-mails just sent? ... View more

Thanks for this additional investigation hint. Helped a lot in my case. ... View more