×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
khin
Explorer
Member since: ‎06-29-2022
‎08-15-2022
Community Statistics
Posts 6
Solutions 2
Karma Given 1
Karma Received 1
Member Since ‎06-29-2022
Activity Feed
View All

Re: Overriding an index name at indexer

by in Getting Data In
‎07-07-2022 11:50 PM
‎07-07-2022 11:50 PM
Hi PickleRick, thank you for the fast reply. It is because the two indexers are from different environments and they want their indexes to be named accordingly. Could you elaborate further on cloning the sourcetype? An example will be a lot of help. Thanks! ... View more

Re: Splunk 8.2.1 and 7.3.1, data not onboarded

by in Getting Data In
‎07-07-2022 06:58 PM
‎07-07-2022 06:58 PM
This was solved by configuring the outputs.conf properly. The second 7.3.1.1 HF (outputs.conf) [tcpout] defaultGroup = indexer01, indexer02 [tcpout:indexer01] server=indexer01_IP [tcpout:indexer02] server=indexer02_IP     ... View more

Can I override an index name at indexer?

by in Getting Data In
‎07-07-2022 06:50 PM
‎07-07-2022 06:50 PM
Hi, I have a set up where an UF is sending data into HF. From HF, the data is supposedly to be sent to two different indexers with different indexes. For example, indexer01 receives the data with indexA while indexer02 receives the same data with indexB.  This is what I have tried so far, but not working.  However the data flow is correct and sending the same data to both indexers with the predefined indexA from UF. inputs.conf (UF) [monitor:///home/name/samplelogs] disabled = false index = indexA sourcetype = sourcetypeA inputs.conf (HF) [splunktcp://9997] outputs.conf (HF) [tcpout] defaultGroup = indexer01, indexer02 [tcpout:indexer01] server=indexer01_IP [tcpout:indexer02] server=indexer02_IP inputs.conf (indexer02) [splunktcp://9997] index=indexA queue=parsingQueue props.conf (indexer02) [sourcetypeA] (or) [host::UF_hostname] (or) [source::/home/name/samplelogs] TRANSFORMS-index = overrideindex transforms.conf (indexer02) [overrideindex] DEST_KEY =_MetaData:Index REGEX = . FORMAT = indexB  Any help would be appreciated!  Thanks! ... View more

Why am I not receiving events from Splunk 7.3.1 UF...

by in Getting Data In
‎06-29-2022 09:40 PM
‎06-29-2022 09:40 PM
Hi, I have a mixed version splunk deployment which involves one indexer of 8.2.1 and another of 7.3.1. There are also 3 Heavy Forwarders linked to one another to reach indexers. Here are the versions: Indexer 01 - 8.2.1 Indexer 02 - 7.3.1.1 2HFs - 7.3.1.1 1HF - 8.21. 1UF - 7.3.1 This is how the data from UF is forwarded to indexers. UF -> 7.3.1.1 HF -> 7.3.1.1 HF -> Indexer 02, UF-> 7.3.1.1 HF -> 7.3.1.1 HF -> 8.2.1 HF -> Indexer01 Both indexers can receive _internal logs from all UF and HFs, but only Indexer 02 (7.3.1.1) can receive main and other custom indexes. This is the concern.  I should be able to receive events from 7.3.1 UF in 8.2.1 Indexer according to this . It mentions 7.3.1 and 8.2.1 are compatible but limited support. What does it mean by limited support?  What I have tested so far is that, fully 7.3.1 environment and fully 8.2.1 environment can receive custom logs from UF, but the mixed one hasn't worked yet. Is there anything I must have missed out? Thank you and much appreciated!     ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-15-2022 05:27 AM
Karma given to
View All