All Apps and Add-ons

CEF output forwarding everything from all indexes and sources

tlmayes
Contributor

Trying to configure Splunk App for CEF 2.0 on Splunk 6.5.2. Our environment has clustered IDX's, and clustered SH's. I have combed the documents and installed, configured and deployed appropriately, but have missed some detail that I cannot discover.

Went thorough the process of creating a datamodel/dataset, on the clustered SH's, and then proceeded to deploy these using the App for CEF. Then installed the downloaded .spl file to (1) indexer in the cluster for testing. The receiver (destination for the CEF output) now receives 100% of all events. No filtering is occurring.

Built a single stand-alone server to look just like the production environment. Same index, apps, Datamodel, & Dataset. Only difference is that there is no system separation as in a clustered/peer model. The same receiver now receives ONLY the events outlined in the datamodel/dataset.

Stuck (and obviously missing something)

Tags (1)
0 Karma
1 Solution

tlmayes
Contributor

Solution to the problem. Finally got support engineers on the phone. Discovered bug in the code, and an erroneous setting in one of the indexers outputs.conf.

View solution in original post

0 Karma

tlmayes
Contributor

Solution to the problem. Finally got support engineers on the phone. Discovered bug in the code, and an erroneous setting in one of the indexers outputs.conf.

0 Karma

tlmayes
Contributor

After testing, seems the "fix" for the bug didn't work. CEF forwarding v2.0 & v2.0.1 does not work, even with developer support, on what I consider to be a simple deployment

0 Karma

koshyk
Super Champion

hi mate, just to double check..

1. do you have Heavy forwarders or UF sending the data to your cluster?
2. Is the raw events cooked before it reaches Indexers?
3. Why you installing spl file in the indexer directly? I thought you have to push via cluster master-apps to indexer slaves

0 Karma

tlmayes
Contributor
  1. HF's
  2. Yes, cooked
  3. Maybe you can. We do not push apps to our indexers in that we do not as a normal routine install apps unless absolutely necessary/required.

Certain the installation method or process has nothing to do with this problem

0 Karma

tlmayes
Contributor

45 days now working with Splunk support on this issue, and no resolution.

Has anybody got this app to work in a clustered IDX/SH environment, and been able to do so more than once? Is easy to get it to work on a single server, but not in a clustered environment.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...