Hi all, I have migrated a 9.0.4 HF from a Windows Server 2012 to a Window server 2022. The original connector was working fine, while the new one (with the same settings) keeps crashing. This is the error I got almors every minute on Application event viewer: Faulting application name: splunk-winevtlog.exe, version: 2305.256.25832.56887, time stamp: 0x64e8dfcc Faulting module name: ntdll.dll, version: 10.0.20348.1970, time stamp: 0x31881ea2 Exception code: 0xc0000374 Fault offset: 0x0000000000104909 Faulting process id: 0x1304 Faulting application start time: 0x01d9ed2bd5be870c Faulting application path: C:\Program Files\Splunk\bin\splunk-winevtlog.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 45c2b6fd-2c6e-484d-9602-eb948052101d Faulting package full name: Faulting package-relative application ID:   I tried to upgrade the HF to version 9.0.6 and then to version 9.1.1 but the error persist. It seems to be caused by the inputs configured on Splunk_TA_windows (version 8.7.0 installed). This is the enabled inputs that cause the issue: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = 4656,4658,4690,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 renderXml = false index = wineventlog ###### Forwarded WinEventLogs (WEF) ###### [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 ## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false. renderXml = true host = WinEventLogForwardHost index = wineventlog   The only solution I found is to disable the ForwardedEvents input. This way the HF works as expected. I also tried to set current_only=1 on that input with no luck. Does anyone knows if it's a know issue and how to troubleshoot this? Regards Alessandro ... View more

I know that Forwarders 6.x are out of support and that from the documentation they are not compatible with Indexer 9.x, but does anyone knows if a Light Forwarder is able to communicate and send events to an Indexer 9.x? Thanks! ... View more

Hi all, i have a Splunk indexer (version 6.2.14) that receives events from a Splunk forwarder (same version). On the forwarder I have a monitor that reads some files from local filesystem and forwards a subset of them to the indexer. The indexer receives events on a TCP over TLS port and indexes the evens with no problem. Filter on the forwarder works as expected. Now I need to continue to index all that comes from the forwarder, but moreover I need to forward a subset of events received to a third-party destination with TCP (no TLS) protocol. Here is the config I have build: *FORWARDER outputs.conf * [tcpout] defaultGroup = <INDEXER_IP>_9999 sslCertPath = /... sslRootCAPath = /... sslVerifyServerCert=false maxQueueSize = 100MB forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection) [tcpout:<INDEXER_IP>_9999] autoLB = false server = <INDEXER_IP>:9999 transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue [CA] REGEX = (?s)\d+\s\[-(?:07628|07777|07649|07675|07676|07697|07698|07705|07714|07717|07718|07719|07724|07725|97726|07727|07734|07751|07753|07765|07767|07783|07792|07816|07819|07824|07827|07836|07841|07842|07849|07854|07884|07886|07888|07889|07895|07896|07899|07900|07901|07903|07914|07916|07929|07930|07932|07933|07943|07948|07951|07952|07953|07954|07955|07956|07960|07963|07964|07966|07968|07972|07984|07965|07823|07977|07941|07992|07982|07981|07979|07994|07647|07840|07790|07756|07743|07744|07989|07990|07993|07618)\s DEST_KEY = queue FORMAT = indexQueue [udpsyslog] REGEX = .*\]\: Accepted password.*|.*\)\: session closed.*|.*\)\: session opened.*|.*\)\: authentication failure.*|.*\]\: Failed password for.*|.*\: invalid user.*|.*\: password changed for.* DEST_KEY = queue FORMAT = indexQueue inputs.conf [default] host = <FORWARDER> [monitor:///tmp/file.log] time_before_close = 15 disabled = false followTail = 0 sourcetype = CA INDEXER: inputs.conf [default] host = <INDEXER> [splunktcp-ssl:9999] _INDEX_AND_FORWARD_ROUTING=STRING _TCP_ROUTING=my_syslog_ca [SSL] cipherSuite = TLSv1.2+HIGH:!3DES:@STRENGTH password = ********** requireClientCert = false rootCA = /... serverCert = /... sslVersions = tls1.2 outputs.conf [indexAndForward] index=true selectiveIndexing=true [tcpout] defaultGroup=my_syslog_ca forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection) [my_syslog_ca] indexAndForward = true [tcpout:my_syslog_ca] disabled=false sendCookedData=false server=<THIRD_PARTY_IP>:9999 props.conf [source::/tmp/file.log] TRANSFORMS-ca=send_to_syslog_ca transforms.conf [send_to_syslog_ca] REGEX = (?!.*\[-07965.*Client type: GUI.*Operator\/CMS).*\[-07965.*Client type: GUI.*|(?!.*\[-07966.*Client type: GUI.*Operator\/CMS).*\[-07966.*Client type: GUI.*|.*\[-07968.*|.*ALARM.*|.*\[-07963.*|.*\[-07964.*|.*\[-07972.*|.*\[-07792.*|(?!.*\[-07841.*Nearing expiration).*\[-07841.*|(?!.*\[-07842.*Nearing expiration).*\[-07842.*|(?!.*\[-07895.*Nearing expiration).*\[-07895.*|.*\[-07968.* DEST_KEY=_TCP_ROUTING FORMAT=my_syslog_ca As said, on the forwarder everything works as expected, events are read, filtered and sent to indexer. The indexer index the filtered events received with no issues. The problem is that the filter while sending the events to the third party does not works. The indexer sends everything to the third party, not only the events defined on the regex in the indexer's transforms. What am I doing wrong? Thanks in advance. Alessandro ... View more

Hi all! We have configured a Db Connect v2 to read an Oracle database table. The query selects the records correctly and we get the lines indexed in splunk with no issue. The only problem is that the license volume consumed is exceeding the expected volume. Consider that for about 38 million records the size of the index in Splunk is about 18GB but the license volume consumed to load these records is about 70 GB. Who can explain this? Thanks in advance ... View more