Good day, I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains about missing priority and I'm not sure if this because of the RFC5424 vs RFC3164 I've tried the following outputs.conf option: [syslog:my_syslog_group] disabled = false server = grafana-alloy.svc.cluster.local:51898 type = tcp #other tested variant priority = <NO_PRI> priority = <34> #tested with or without timeformat timestampformat = %b %e %H:%M:%S How can i make sure that the HF syslog forward is using the RFC5424 format? ... View more

Dear community, it might be an odd question but i need to forward the splunkd.log to a foreign syslog server, therefore i was following the sample from here: https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Forwarding/Forwarddatatothird-partysystemsd So far i have configured the forwarder to forward testing.log (should be splunkd.log later) to the foreign syslog target     #inputs.conf [monitor:///opt/splunk/var/log/splunk/testing.log] disabled=false sourcetype=testing         #outputs.conf [tcpout] defaultGroup=idx-cluster indexAndForward=false [tcpout:idx-cluster] server=splunk-idx-cluster-indexer-service:9997 [syslog:my_syslog_group] server = my-syslog-server.foo:514       #transforms.conf [send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group     So far so good, testing.log appears on the syslog server but not just that, all other messages are forwarded too. Question: How can i configure the (heavy) forwarder to only send testing.log to the foreign syslog server and how can i make sure that testing.log does not getting indexed? In other words - testing.log should only be send to syslog. Many thanks in advance     ... View more

Hi, the size of my Splunk database is at around >1TB+. I would like to know about all available Indexes and especially all of the associated SourceTypes and the amount of it. The search in WebUI works no problem for the last 24hrs but searching for all of the data takes forever and times out. I'm aware that saved searches would be an option but i'm curious to know if  a script would work which recursive scans the database and process all SourceTypes.data file like < /opt/splunk/var/lib/splunk/sampledb/db/db_1680195600_1672423200_0/SourceTypes.data < /opt/splunk/var/lib/splunk/sampledb/db/db_1698782400_1680199200_1/SourceTypes.data ... ... Would this be a feasable option? Many thanks ... View more

I am trying to build my own kvstore geo data, so far i can run | inputlookup geobeta | where endIPNum >= 1317914622 and startIPNum <= 1317914622 | table latitude,longitude That returns: latitude,longitude "51.5128","-0.0638" But how do i combine this with a search? I was trying this but it doesn't work: | makeresults eval ip_address_integer=1317914622 [ | inputlookup geobeta | where endIPNum >= ip_address_integer and startIPNum <= ip_address_integer ]   Many thanks for hints ... View more

Dear Community, i am trying to setup my companies Splunk setup to my home lab for learnig purposes. It is a single site cluster with indexer and search head cluster. So far i am able to setup the cluster master followed by adding the indexer to the cluster master and then setup the shc cluster with its member, bootstrap and then add the shc members to the cluster master. But something i do wrong here, when i look to the MC on the cluster master then only the cluster master itself is showing up with all roles attached. The previous added machines are not appearing? One question ahead, is this kind of setup possible using the free licenses on each peer instead of a license master? thx in advance   ... View more