cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sarvananth
Explorer
Member since: ‎07-05-2023
‎03-06-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎07-05-2023
Activity Feed
View All

Re: Windows event log Splunk HF with truncation

by in Other Usage
‎01-28-2024 02:57 PM
‎01-28-2024 02:57 PM
please check the truncated event from syslog server  We are attempting to send logs to both the Splunk indexer and the syslog server because different teams handle distinct log types. My team manages the system security logs specifically for SOC team monitoring. ... View more

Windows event log Splunk HF with truncation

by in Other Usage
‎01-28-2024 06:19 AM
‎01-28-2024 06:19 AM
We are using Splunk Universal Forwarder (UF) to forward logs from a Windows server to a Splunk Heavy Forwarder (HF). However, when the Splunk HF receives logs of a specific type as multiline, an issue arises. In this case, when attempting to forward these logs from the Splunk HF to a syslog server (a Linux server with rsyslog configuration), the logs are getting truncated. How can we address and resolve this issue? ... View more

How do I configure Splunk Heavy Forwarder (HF) to ...

by in Splunk Enterprise
‎11-23-2023 06:59 PM
‎11-23-2023 06:59 PM
I'm trying to set up a Proof of Concept (POC) environment for Splunk Heavy Forwarder (HF), which is receiving data from SolarWinds SEM. We are using TCP Port 514 to forward logs from SolarWinds SEM. Both Splunk HF and SolarWinds are using free licenses.   SolarWinds has performed the forwarding configuration via the admin console. In the Splunk HF Inputs.conf file, details have been added as below: [TCP://514] connection_host = X.X.X.93 sourcetype = * disabled = false index = SolarWinds-index   Both instances are running on the AWS cloud, same subnet. When I check the Splunk HF interface with the Tcpdump command, I receive the following output: Splunk Host Name - ip-X-X-X-72.ap-southeast-1.compute.internal SolarWinds Host Name - ip-X-X-X-93.ap-southeast-1.compute.internal   00:58:05.726708 IP ip-X-X-X-72.ap-southeast-1.compute.internal.shell > ip-X-X-X-93.ap-southeast-1.compute.internal.36044: Flags [R.], seq 0, ack 3531075234, win 0, length 0 00:58:05.727636 IP ip-X-X-X-93.ap-southeast-1.compute.internal.36054 > ip-X-X-X-72.ap-southeast-1.compute.internal.shell: Flags [S], seq 3042331467, win 64240, options [ 1460,sackOK,TS  1136916397  0,nop,wscale 7], length 0   Splunk HF is receiving logs from the Universal Forwarder (UF) on the Windows server but didn't from SolarWinds SEM.   Can anyone advise on this issue?   ... View more
Labels

Re: Splunk HF exports logs using a CLI command as ...

by in Splunk Search
‎07-25-2023 02:50 AM
‎07-25-2023 02:50 AM
Hi R.Ismo,   yes, it is working fine, and thank you very much for your help. Is it possible to export the logs last 5 minutes using a CLI command?     ... View more

Splunk HF exports logs using a CLI command as a Li...

by in Splunk Search
‎07-21-2023 03:05 AM
‎07-21-2023 03:05 AM
I'm new to Splunk Enterprise, and my task is to forward logs from Splunk HF (AWS EC2 instance) to an AWS Cloud Watch log group. I tried to export the logs using CLI commands and stored them on the Splunk HF server locally. Then, I used the Cloud Watch agent to send the logs to the Cloud Watch log group. please refer the below Splunk cli command for export the logs #./splunk search "index::***** sourcetype::linux_audit" -output rawdata -maxout 0 -max_time 5 -auth splunk:***** >> /opt/linux-Test01.log The challenge I'm facing is that when I run the CLI command using a Linux crontab, it does not export the logs. Are there any other solutions or guidance available to resolve this issue? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-06-2024 02:42 AM
Karma given to
View All