Hello Splunkers, I have a question around Monitoring a same File from different server, The situation is Server1, Server,2,Server3 is connected to the same NFS where log file abc.log is , now Splunk universal forwarder is installed on all these servers and in the inputs.conf has a monitoring stanza to monitor log file /a/b/c/abc.log, what are the options here to avoid duplication on forwarding/indexing. Please advise, Thank ! Moh.. ... View more

Hello Splunkers, Appreciate if anyone can help me here, I'm after a Best practices guide/ article for Windows Server Logs, specially when it comes to Windows AD&DC monitoring, The default Windows TA does collect a lot of logs , but I would like to look into some advance use-cases options , Tuning configs, GUID/SID translation configurations (as this was required when I was using another log management solutions).  I look forward to hear back from the experienced Splunkers. Thanks, Regards, Moh. ... View more

Hello Splunkers, I have a question around Splunk Architecture, would greatly appreciate the inputs from Architects. In a Scenario where UF on log source>Heavy Forwarder>Indexer Basically  A Universal Forwarder get installed on a log source with a configuration to connect to Deployment server, Once it connects to DS, the DS will push the Output APP & the corresponding technology add-on i.e. Windows/Linux to the Universal Forwarder. The Output APP on the Log source(UF) is basically forwarding to heavy forwarder over standard port 9997 On the Heavy Forwarder an output APP under etc/apps  is there to forward to indexers. So the question is do I need to also have an Windows_TA/Linux TA app on heavy forwarder ? is it necessary ? if I dont install a TA , my understanding is heavy forwarder should still forward everything it receives over port 9997(without a TA/inputs.conf) to the next Splunk , is that correct ? Sorry I know its long reading 😞 but I hope to receive some responses. Thank you ,   regards, Moh ... View more

Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be installed, but for Cloud Remote Support application how this can be achieved , is there a Custom TA for REST or a HEC can be used here. Appreciate some assistance here, Thanks! regards, Moh.     ... View more

Hello Splunker, After I upgraded to version 9.4 , KV store does not start , I generated a new certificate by renaming server.pem and restarting the splunk , And now I see the following error on mongod.log [conn937] SSL peer certificate validation failed: self signed certificate in certificate chain NETWORK [conn937] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate in certificate chain. Ending connection from 127.0.0.1:38268 (connection id: 937) Does anyone have any idea what could be missing ? Appreciate your inputs in this regard, Thank you, Moh ... View more

Hello Team, When an organization is  having Hybrid deployment , so they using Splunk cloud service too, can data be sent directly to Splunk Cloud, for example there is a SaaS application which only has an option to send logs over syslog , how can this be achieved while using Splunk cloud. What are the options for Data input here. If someone can elaborate. Thanking you in advance, regards, Moh ... View more

Hello Splunkers, I need some help to understand what will be the minimum spects required for Splunk Enterprise Installation for the purpose Heavy Forwarder where only it will receive logs from 1 source over Syslog and forward to Indexers.  Can I just use 2 CPU's 8 GB RAM and storage based of estimation of the log file sizes. I'm asking this because the official guide says it should be minimum 12 GB RAM , 4 Cores CPU. Please if someone can advise on this. Thanking you in advance,   Moh.... ... View more

Hello Splunkers, I'm trying to push data to indexers from HF's where I have a syslog-ng receiving the logs. This is from a non-supported device therefore TA is not available on Splunkbase. My concern is when I'm writing inputs.conf can i just create one directory and call it cisco_TA and inside that create a directory called local and place my inputs.conf there ? is that sufficient to create a custom TA and transport the logs. Or should create other direcotires such as default , metadata, licenses ect.. Please if someone can advise on the above.   Thank you,   regards, Moh. ... View more

Hello Splunkers, I have an Architecture related question if someone can help with it please. My Architecture is like , Log Source(Linux Server)> Heavy Forwarder>Indexer  Lets say I'm on-boarding a New log source, When I'm installing an UF on my Linux server , it connects back to my Deployment Server and get the APP(Linux TA) and the output.conf APP which is basically my Heavy Forwarder details. Now my question is Do I need to have the same Linux_TA installed on my Heavy Forwarder And Indexer too ? Or as long as this TA is on Log source, it is sufficient. Hope I have explained well. Thanks for looking into this and I greatly appreciate your input. regards, Moh.    ... View more

Hello Splunkers, I need some help in understanding the difference between Auditd logging on Linux and the traditional way of capturing the log files under the var/log/* , what is it that Auditd provides which we cannot get that from var/log/* Secondly, I'm already collecting the basic Audit files that are under /var/log/ using the standard TA_Nix , if i want to go with Auditd , is there a different Add-on for this , What are the available options. Appreciate some insight on this from experienced techies.   Thank you, Moh...! ... View more

Hello Splunkers, Can someone help me with a query to detect multiple http errors from single IP , basically when the status code is in 400s/500s. Thank you, regards, Moh ... View more

Hello Splunkers, Has anyone on-boarded Oracle cloud recently, Please share your experience and help with the right Add-on to be used as the one available on Splunk base says not supported anymore. Thanks in advance, regards, Moh ... View more