Hi Splunkers, My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade. I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'. Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers? Thank you! ... View more

Hi Splunkers! I have a Splunk distributed deployment. One of my customers has a separate Splunk distributed deployment on the same network as mine. All of their Splunk Enterprise servers run on Linux. This customer has recently asked me to ingest basic Linux security logs (things like /var/log/secure) from all of their Splunk Enterprise servers into my Splunk indexers. This is to maintain audit compliance. Since these servers are full-blown Splunk Enterprise servers, and not just Universal Forwarders, I'm having some trouble getting logs to come over to my side correctly. They are already indexing Linux security logs on their side via a local inputs.conf in the Splunk TA for NIX. To get the same logs to my indexers, I'm not sure if this is a matter of putting an outputs.conf on their servers (or modifying an existing outputs.conf on their servers) to also point to my indexers, and then adding a _TCP_ROUTING entry in their existing inputs.conf (the one in the TA for NIX). Also, their linux logs index has a different name than mine. Do I need to set up something on my side (props? transforms?) to do the index translation when the logs arrive on my side? Thank you in advance! ... View more

Hi Splunkers, My program is considering adding 600 more Linux UF endpoints to our current Splunk deployment (we have ~450 total UF endpoints now), and they're asking for a "wish list" of resources to support the additional volume. I have a pretty good idea of my licensing needs, and I've been using the Splunk online sizing tool to figure out how much additional disk capacity we need (based on our retention policies). Is there also a good sizing tool or document out there to help me figure out whether I need to increase RAM/CPU on my indexers, and possibly add another indexer? (and maybe add another deployment server) Just FYI - I currently have a 2 indexer cluster. Each indexer has 16 cores, 31 GB RAM ... View more