Activity Feed
- Posted Re: Re-add search head. on Deployment Architecture. 03-15-2025 10:07 PM
- Posted Re: Re-add search head. on Deployment Architecture. 02-27-2025 04:11 AM
- Posted Re: Re-add search head. on Deployment Architecture. 02-26-2025 05:50 AM
- Posted Re-add search head. on Deployment Architecture. 02-25-2025 10:10 PM
- Posted dovecot Logs on Splunk Enterprise. 07-23-2024 10:07 PM
- Posted Re: Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 08:06 PM
- Posted Re: Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 07:03 PM
- Posted Re: Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 07:01 PM
- Posted Having Syslog logs into SPLUNK on Splunk Enterprise. 07-16-2024 06:31 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-15-2025
10:07 PM
Thank you so much for the assistance, Below are the steps I used I checked on sh02 /opt/splunk/etc/system/default and I observed preferred_captain = true Since I wanted to make this instance as a captain, I left that as it was. Ran the same on sh01 and sh03 and got the same result. Therefore, I navigated to /opt/splunk/etc/system/local/server.conf and under the [shclustering] stanza added the preferred_captain = false on both instances. -> I run this command on the SH02 to make this as a static captain - "splunk edit shcluster-config -mode captain -captain_uri <URI>:<management_port> -election false" -> I run this command on sh01 and sh03 - "splunk edit shcluster-config -mode member -captain_uri <URI>:<management_port> -election false"
... View more
02-27-2025
04:11 AM
o, sorry for the late reply. If I run that one -current_member_uri I get below issue Node splsearch01 is already part of cluster id=2A5DDFE0-B873-4201-8B68-D2ACB4873DA7. To add a new member via this node use new_member_uri. Run 'splunk help add shcluster-member' for more info.
... View more
02-26-2025
05:50 AM
When I run ./splunk add shcluster-member -new_member_uri https://<CAPTAIN_IP>:8089 I get Failed to proxy call to member https://<CAPTAIN_IP>:8089. ERROR: Node splsearch02 is already part of cluster id=2A5DDFE0-B873-4201-8B68-D2ACB4873DA7. A node cannot be part of two clusters. If you want to re-purpose this node, run 'splunk clean all' to clean this instance and then add to the cluster.
... View more
02-25-2025
10:10 PM
I tried to run ./splunk remove shcluster-member -mgmt_uri https://<CAPTAIN_IP>:8089 on the non-captain search head, which was successful. But on the re-election of the new captain with this command, it gave me an error. I run the command. ./splunk add shcluster-member -mgmt_uri https://<NEW_CAPTAIN>:8089 -current_member_uri https://<PREV_CAPTAIN>:8089 WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Argument "mgmt_uri" is not supported by this handler. But now, when I run the command ./splunk show shcluster-status --verbose on the new captain, I see the previous captain is no longer in the member section. If anyone could help, I would appreciate it.
... View more
Labels
07-23-2024
10:07 PM
Hello team, Am working with dovecot logs-- it's a mail logs. I managed to integrate it with Splunk through syslog. it gives me the logs in this format (Attached screenshot) Now, I want to create a new field to have value of to/receiver From the screenshot the value of to/receiver is in lda(value) NOTE: on the below screenshot I dont have to/receiver values i just have from/sender and subject Help me please !
... View more
Labels
07-16-2024
08:06 PM
Thanks for the help I see the logs now, I tried to use a different port to take the logs from syslog conf file.
source s_network {
udp(port(10514));
};
destination d_splunk {
udp("localhost" port(11514));
};
log {
source(s_network);
destination(d_splunk);
};
For this now I see the logs...
... View more
07-16-2024
07:03 PM
@Tom_Lundie what about the syslog configuration? what should I do with it?
... View more
07-16-2024
07:01 PM
Thank you so much for your help. Am new to Splunk and I want really bad to master it. I will go and check the config as you said and I will let you know.
... View more
07-16-2024
06:31 PM
We are in the process of data onboarding. We managed to deploy a distributed architecture in which we have 3 indexers, 3 search, mastercluster, deployer, deployment, and 2 intermediate forwarders. On my syslog server, I receive logs from the firewall through syslog port 10514 and I managed to install a forwarder into my syslog server connected to my deployment server. and on my forwarder configuration file, I connect to all 2 intermediate forwarders Now help me to finish this task, how can I manage to see the firewall logs in my Splunk? What do you think I should edit into my syslog server? Please remember I don't write the syslog logs(firewall) into a file. Its onstream logs My forwarder inputs.conf file| [udp://514] connection_host = ip index = tcra_firewall_idx sourcetype = tcra:syslog:log
... View more
Labels
