This app does not support Aruba Central. I am working on adding support for Syslog from Central OnPrem and evaluating creating an app using the supported central module, but that would like to be another App and not part of this app.  ... View more

February March April May June? ... View more

It's now March... how much longer? ... View more

Will this version also Support Madrid? Or will we have to wait another year for support for Madrid? ... View more

This really depends on your environments configuration. If your indexers are separate where you are using indexer clustering but want to have multiple copies of the data output.conf config example. [tcpout] defaultGroup=indexer1,indexer2 [tcpout:indexer1] server=10.1.1.197:9997 [tcpout:indexer2] server=10.1.1.200:9997 Then there is no load balancing to take place as you only have data going to each of your indexers at the same time. However if you have indexer clustering where your indexers are making copies of your data for you. Or you have no need to duplicate logs to multiple environments using this example with load balancing prevents several forwarders from sending data to one indexer because indexers have no communication to the clients that they are loaded other than to stop receiving data. Outputs.conf Example: [tcpout] defaultGroup=my_indexers [tcpout:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9996 ... View more

What data are you collecting proxy logs? if so what type of proxy and does it record user agent strings? ... View more

You probably might be the length issue with cisco's default syslog configuration. Have your ISE administrator verify the maximum length settings. It should be set to 8192. The other way to tell via the log is the numbering prior to the time. Example below. CISE_Profiler 0006602215 1 0 2018-02-15 11:27:10.946 The number 1 means syslog 1 message the second number 0 means this is message id 0 (#1) counting from 0 if you see 3 1 this is likely the issue where the maximum length wasn't increased and splunk is receiving the messages broken into several messages. http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging Maximum Length 8192 Events will be broken if you use a smaller value. ... View more

Additional recommendation, if your logs are really high volume you may want to increase the number of parallel pipelines. server.conf [general] parallelIngestionPipelines=(more than 1) Be careful to watch system resources, as it is basically x increase the system workload. Most times just increasing this to 2 is enough to increase the performance. ... View more

This isn't an answer... I know it's 404 that is why I posted where did it go. The other puppet app is really old and not compatible with current puppet. Splunk and Puppet had a big press release about it back in April of 2016... ... View more

I copied the information into an answer ... View more

Hi WStallWood, There is two parts to the AWS billing features in the new splunk app. I learned the hard way, as well. The issue your having is with the lack of the Cloudwatch based billing reports. Unfortunately this is only available to the consolidated billing account and would require you to be permitted access to those cloudwatch metrics. However, The historical reports should work via the dashboard. ... View more