Hello, colleagues. I'm using an independent stream forwarder installed on Ubuntu 22.04.05 as a service. After updating to 8.1.5 bytes_in, bytes_out, packets_in, packets_out are always equal to zero. If I stop the service and change /opt/streamfwd/bin/streamfwd from 8.1.5 to 8.1.3 and start sert service again, everything is ok.  Anybody run into this? thanks. { [-] app_tag: PANA-L7-PEN : ххххххххх bytes_in: 0 bytes_out: 0 dest_ip: x.x.x.x dest_port: 55438 endtime: 2025-05-28T15:01:26Z event_name: netFlowData exporter_ip: x.x.x.x exporter_time: 2025-May-28 15:01:26 exporter_uptime: 3148584010 flow_end_reason: 3 flow_end_rel: 0 flow_start_rel: 0 fwd_status: 64 input_snmpidx: 168 netflow_elements: [ [+] ] netflow_version: 9 observation_domain_id: 1 output_snmpidx: 127 packets_in: 0 packets_out: 0 protoid: 6 selector_id: 0 seqnumber: 2278842767 src_ip: x.x.x.x src_port: 9997 timestamp: 2025-05-28T15:01:26Z tos: 0 } ... View more

Hello, colleagues. I am using independent streamfwd as a service installed on Linux Ubuntu 22.04.05. Streamfwd gets settings from the stream app and gets the indexers list. Everything is ok, streamfwd balancing data between all indexers, but if I made a push from the master node to the indexers cluster, and the indexers are rebooting, data balancing breaks after that streamfwd sending data just to one indexer. I can't find how to fix this. Please help thanks ... View more

Hello, colleagues. After upgrading Splunk Stream 8.1.5 stopped parsing bytes_in, bytes_out, packets_in, packets_out, they are always equal to zero...  { [-] app_tag: PANA-L7-PEN : xxxxxxxxxxxxx bytes_in: 0 bytes_out: 0 dest_ip: x.x.x.x dest_port: xxx endtime: 2025-05-28T15:01:26Z event_name: netFlowData exporter_ip: x.x.x.x exporter_time: 2025-May-28 15:01:26 exporter_uptime: 3148584010 flow_end_reason: 3 flow_end_rel: 0 flow_start_rel: 0 fwd_status: xx input_snmpidx: xx netflow_elements: [ [+] ] netflow_version: 9 observation_domain_id: 1 output_snmpidx: xxx packets_in: 0 packets_out: 0 protoid: 6 selector_id: 0 seqnumber: 2278842767 src_ip: x.x.x.x src_port: 9997 timestamp: 2025-05-28T15:01:26Z tos: 0 } I am using an independent streamforwarder with streamfwd installed as a service on linux ubuntu 22.04.5 If I stop the service and replace the streamfwd file with the old version 8.1.3 and start the service again, everything is ok Anybody run into this?  Thanks! ... View more

Hello!  Is it possible to implement something like this? I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file. My search now looks like this: | tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host | lookup devs_hosts_names.csv host OUTPUT dev_name | eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host") | eval status = if((now() - lastSeen<=60),"up","down") | eval status = if(isnotnull(lastSeen),status,"unknow") | search NOT [| inputlookup devs_status.csv | fields host dev_name status] | convert ctime(*Seen) | table host dev_name status lastSeen | - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)  devs_status.csv  But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk? Thanks.   ... View more