I am creating a 2nd SH cluster (with its own Deployer), and both SH clusters (old and new) will be accessing a single (multi-site) IDX cluster. The existing SH cluster is using Site 0, and the indexers are using site 1 and 2. Do I need to configure the new SH cluster with a unique site id, eg. Site 4, or does not not matter? There seems to be about zero docs for multiple SH clustering. Thanks.   ... View more

I already have a clustered enterprise environment and I want to create an additional SH cluster for a dedicated purpose, but using the same IDX cluster. Do I need an additional Deployer server for this, or can I have the existing Deployer manage multiple SH clusters? How to do this? Thanks for any suggestions. R.   ... View more

I have configured a Splunk HF with the following inputs.conf stanzas (details changed) for two new device logs. Note the explicit host setting for each: [monitor:///path/splunklogs/10.10.1.1/*.log] disabled = false host = myhost10 sourcetype = syslog index = my_index [monitor:///path/splunklogs/10.20.1.1/*.log] disabled = false host = myhost20 sourcetype = syslog index = my_index I created the index at the same time, so to validate its working I simply ran a search "index=my_index" (knowing there will be nothing else there). But surprisingly, the search returns events from three hosts instead of two! The first device looks okay, but for the second one (ie. the second inputs stanza), some of the events are showing the wrong host value. It seems to be picking up a host value embedded in the event, but I don't see how. And I thought the inputs 'host' setting would override that anyway. So, from the below example, the host SHOULD be set to 'myhost20' from the inputs stanza, but instead is showing as host 'xyz000000001234'. Can anyone explain how that could be happening, and so, how to prevent it? Sample event, with the standard fields below it: 2023-06-08T14:38:51+10:00 Sev=notice Facility=user Hostname=<loadbalancer> Header="Client " Message="Client IP: 10.20.1.1 | <109>Jun 8 14:40:11 xyz000000001234 some_field -: AUDIT [dvc="10.20.1.1" dvchost="10.20.1.1" version="7.7" user="<user>" role="" source="10.1.2.3" type="user_action" outcome="success" message="2023-06-08T14:40:11+10:00 abc120000001111 sshd\[2876138\]: Accepted keyboard-interactive/pam for device from 10.1.2.3 port 12345 ssh2"]" host = xyz000000001234 index = my_index source = /path/splunklogs/10.20.1.1/10.20.1.1-08-06-2023:14.log sourcetype = syslog   Thanks for any response. R. ... View more

I have a UF set to send logs to both Splunk IDX and SIEM, using the TCPOUT settings in outputs.conf, but this is sending via TCP and we want it to use UDP (due to high log rate). Can it be done? There is no option for the tpcout stanza to set a protocol. So it is TCP only. I found there is a syslog-out stanza for the outputs.conf file, which can use UDP or TCP, but that one also says it can't be used on UFs. Am I stuck with TCP, or is there another way? Thanks for any responses, Rod. ... View more

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested? I also note the sourcetype case is wrong too, so are any/all these fields case sensitive? actual index name: "target_index"   [monitor:///file/path/logfile.log] index = Target_Index sourcetype = mBAS_log disabled = false Thanks for the help.   ... View more