Activity Feed
- Posted Universal Forwarder 6.4.0 to HEC on Getting Data In. 03-19-2018 03:14 PM
- Tagged Universal Forwarder 6.4.0 to HEC on Getting Data In. 03-19-2018 03:14 PM
- Tagged Universal Forwarder 6.4.0 to HEC on Getting Data In. 03-19-2018 03:14 PM
- Tagged Universal Forwarder 6.4.0 to HEC on Getting Data In. 03-19-2018 03:14 PM
- Tagged Universal Forwarder 6.4.0 to HEC on Getting Data In. 03-19-2018 03:14 PM
- Posted Re: 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 03-19-2018 02:52 PM
- Posted 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
- Tagged 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
- Tagged 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
- Tagged 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
- Tagged 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
- Tagged 6.5.2 unable to decommission an indexer peer node. keeps coming back online after offline command is issued. on Deployment Architecture. 01-11-2018 04:20 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 |
03-19-2018
03:14 PM
Unfortunately, I have a few hundred hosts running 6.4 universal forwarder and I cannot upgrade them. I have a subset of hosts that need to send an application log to HEC on customer's splunk deployment but still send this and all the other logs to our splunk. We already have a few apps for the forwarder to handle different logs in a different way so I decided to create an app for those forwarders to send to the customer so that I can make sure that only the application log gets sent to them.
Hosts are Ubuntu 14.04
Splunk servers are on 16.04 and we run Splunk Enterprise 6.5.2
We don't use HEC in any of our hosts hence why I'm asking for help here.
I'm confident about all the config files except output.conf, I'm not clear on what defaultGroups does or if it's even necessary and the tcpout:app_upstart_logs stanza is also nebulous to me.
output.conf
[tcpout]
defaultGroup = ???
forwardedindex.filter.disable = true
indexAndForward = false
maxQueueSize = 250MB
maxConnectionsPerIndexer = 5
[tcpout:app_upstart_logs]
useACK = false
token = XXXXXXXXXXXXXXXXXXXXXXXXXX
server = customer.splunk-server.net:8080
This is my inputs.conf
[monitor:///var/log/upstart/]
disabled = false
sourcetype = app_upstart_logs
blacklist = (\.gz$|\.0$|.1$|\.2$|.3$|\.4$|.5$|\.6$|.7$|\.8$|\.9$|\.10$|\.report$|lost\+found)
PS: We are running some really old stuff. Feel free to roll your eyes like a teenage valley girl (is that still a thing?) I stand ashamed.
... View more
03-19-2018
02:52 PM
I inherited this deployment and eventually someone who worked on the original project told me to just shut it down and remove it from the master once it lost connectivity. Seriously.
... View more
01-11-2018
04:20 PM
What I've tried:
On the indexer:
splunk offline --enforce-counts
On the master, observing splunk_monitoring_console/indexer_clustering_status
indexer goes to decommissioning but goes back to on after a few seconds.
On the indexer:
splunk offline
On the master, observe splunk_monitoring_console/indexer_clustering_status
indexer goes away but after a few seconds, it returns to on.
On the master:
splunk edit cluster-config -restart_timeout 1800
restart splunk
On the indexer:
splunk offline --enforce-counts
On the master
observe splunk_monitoring_console/indexer_clustering_status
indexer goes to decommissioning but goes back to on after a few seconds.
Thanks in advance.
... View more