cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rjk123
Explorer
Member since: ‎11-23-2019
2 weeks ago
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎11-23-2019
View All

How to use Universal Forwarder to send logs to SIE...

by in Deployment Architecture
2 weeks ago
2 weeks ago
I have a UF set to send logs to both Splunk IDX and SIEM, using the TCPOUT settings in outputs.conf, but this is sending via TCP and we want it to use UDP (due to high log rate). Can it be done? There is no option for the tpcout stanza to set a protocol. So it is TCP only. I found there is a syslog-out stanza for the outputs.conf file, which can use UDP or TCP, but that one also says it can't be used on UFs. Am I stuck with TCP, or is there another way? Thanks for any responses, Rod. ... View more
Labels

upgrade steps for clustered environment 7.3.3 to 8...

by in Installation
‎04-08-2021 11:16 PM
‎04-08-2021 11:16 PM
I am preparing to upgrade a distributed and clustered Splunk Enterprise install from 7.3.3 to 8.1.2, but the install guides are not clear for the correct method. My current plan is to upgrade in the following order: Deployment Servers (primary and standby) Cluster Masters / License Masters (primary and standby) Search Head cluster 2-site Indexer cluster and afterward, all the HFs and UFs (many of each).   Where I'm not clear is the SH/IDX process. SH: rolling or all at once? IDX: one site at a time, or all at once? I have found documentation that says we can do rolling upgrade of SH's, and can do IDX's one site at a time, but other documentation that implies I have to do all SH and IDX in one big hit (because 7.3.3 > 8.1.2 is more than a single version jump). My colleagues are in conflict which is correct. Any clues to the real answer here? Thanks for any help. ... View more
Labels

Re: is the index field in inputs.conf case sensiti...

by in Getting Data In
‎08-27-2020 05:13 AM
‎08-27-2020 05:13 AM
Don't worry, I think I found it. I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk. Answer = NOT case sensitive. ... View more

is the index field in inputs.conf case sensitive?

by in Getting Data In
‎08-27-2020 04:12 AM
‎08-27-2020 04:12 AM
I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested? I also note the sourcetype case is wrong too, so are any/all these fields case sensitive? actual index name: "target_index"   [monitor:///file/path/logfile.log] index = Target_Index sourcetype = mBAS_log disabled = false Thanks for the help.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma given to
View All