We recently found out that we couldn't send TCP data as Syslog because it didn't have the proper header, but streaming it as TCP works perfectly fine. What are the best practices surrounding a native TCP port vs. Syslog?  ... View more

This subject keeps baffling us - Can I configure restartSplunkd to true for all applications?  One thing we saw is that when we bounce the deployment server during the Linux maintenance window, all the apps covered in the serverclasses are being redeployed, I was under the impression that only when we run the following, the hosts associated with this serverclass stanza are being bounced - splunk reload deploy-server -class <server_class_name>   Do I miss anything? ... View more

Based on the Which apps need the restartSplunkd to be true? I would like to configure all apps to have restartSplunkd as true without specifying it explicitly.  I added to the top of serverclass.conf -  [global] crossServerChecksum = true restartSplunkd = true [default] restartSplunkd = true  And still, after deploying an app, restartSplunkd at the app level is false on the UI. What am I missing? ... View more

We struggled a bit to make the DB Connect connection using TLS. Apparently we have a choice between SQL Service and an AD Account. Is there a preferred way to set these TLS connections? ... View more

Our custom here is to create a props app and an inputs app. The inputs apps are being deployed on the on-prem side, while for the props apps we usually deploy on the cloud. I wonder whether to consolidate inputs and props into one app for simpler administration. ... View more

We recently realized that the restartSplunkd attribute is more effective when defined at the individual app level rather than the server class level. We are currently refactoring our serverclass.conf to assign this attribute to every app, but we want to be more surgical with our approach. Could anyone clarify the logic behind which specific types of apps require a Splunk restart to take effect? Specifically, we are looking for guidance on these scenarios: Apps deployed to Universal Forwarders (UFs). Heavy Forwarders (HFs). Input apps (inputs.conf). Parsing apps (props.conf and transforms.conf) deployed to Indexers and more. ... View more

@richgalloway explained clearly in the post, that INDEXED_EXTRACTIONS=CSV makes all the fields indexed. What would be a better way to ingest CSV files and avoid the fields from being indexed? ... View more

Hello Splunk Community, My team is currently processing logs from a single source that can contain events with different timestamp formats. We are debating the best configuration approach and would like input from the community. Option 1: Using props.conf with transforms (Current setup) We are currently using a TRANSFORMS-split rule in our props.conf file to differentiate the source types based on some criteria, and then applying a single TIME_FORMAT within each resulting source type stanza. This involves creating several dedicated source types for essentially the same data stream. Configuration Snippet Example: [xxx:tomcat9:catalina1] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TIME_FORMAT=%d-%b-%Y %H:%M:%S TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=20 TRANSFORMS-split = catalina1, catalina2 [tomcat9stdout1] REGEX = \d+\-[a-zA-Z]+-\d+\s\d+\:\d+\:\d+ DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::xxx:tomcat9:stdout1 [tomcat9stdout2] REGEX = [0-9]{4}\-\d+\-\d+\s\d+\:\d+\:\d+ ... (etc for other formats) Option 2: Using datetime.xml The alternative approach suggested is to use a single source type and configure a datetime.xml file. This XML file would contain multiple regular expressions, allowing Splunk to iterate through them and automatically identify the correct timestamp format for each individual event. Question Which approach is considered the industry best practice for handling this specific scenario? Is the datetime.xml method generally more robust and maintainable than splitting source types via transforms? Thanks for your guidance! ... View more

We configured rsyslog to route data from a certain host to the file system of the server, and what we see is that lots of data reaches the file system as well as /var/log/messages. So, if rsyslog is configured to route to the file system, why do we still see data in /var/log/messages? ... View more