We see interest in FreeBSD in the Splunk community which is why we want to keep the Universal Forwarder on FreeBSD as a supported platform. Further support for other core Splunk components on FreeBSD is definitely related to customer demand relative to other platforms and testing bandwidth. ... View more

There are no plans to remove FreeBSD as a supported platform for the Universal Forwarder and we'll clean up a few things for the UF on FreeBSD in the next release. Look for more details soon. ... View more

Hi ferdie, For this purpose, the only relevant ports open by default on the Splunk Light instance are 8000 for the Web interface and 8089 for the management port. These can be changed during Splunk start up if the ports are already taken. To get a Forwarder connected to send data to a Splunk Light instance AND under the control of the Splunk Light instance, you need to do a couple of things. Open a port on the Splunk Light instance to listen for data from the forwarder. You can do this via the Splunk Light UI in the Data, Receiving section. Let's say you select 9997. On the Forwarder, tell it where to send data. You can do this from the CLI by using splunk add forward-server 10.0.0.2:9997 Where 10.0.0.2 is the address of your Splunk Light server and 9997 is the port you opened to listen. On the forwarder, you will be asked to authenticate locally and if you have not changed the password, the default is admin/changeme. On the Forwarder, tell it you want to control the Forwarder from the Splunk Light instance. Use: splunk set deploy-poll 10.0.0.2:8089 Note that data goes to one port (9997) and management is done through another port (8089). You will also be asked to authenticate again locally to the Forwarder with the default admin/changme. You should now see the Forwarder in the Add Data, Forwarded inputs section on the Splunk Light instance. ... View more

Sorry, formatting. The correct command is above. So, for example, if your Splunk Light server IP address is 10.0.0.2, splunk set deploy-poll 10.0.0.2:8089 ... View more

You also need to point the Forwarder to the Splunk Light server as a Deployment Client. Go to $SPLUNK_HOME/bin on the Forwarder and do: splunk set deploy-poll splunklight-servername/ip:splunklight-mgmt-port The management port is 8089 by default. Then you should see the Forwarder in the Add Data -> Forwarders Section once the Forwarder handshakes with the server. Might not show up immediately but give it a sec and you will see it. ... View more

Yes, I'll apologize again for any pain that this problem has caused. I also freely admit that the collection of this data from forwarders (and how to control it) was not at the forefront of our minds when we implemented it. It was intended for Search Heads and Indexers where resource consumption may be high but I can also see a use case for Forwarders here to verify UF footprint is low. This absolutely wasn't intended to go out of the door enabled by default on forwarders. I would even go a step further here and warn that the primary interfaces where we are viewing this resource collection data in the product, namely in the Distributed Management Console as of Splunk 6.2, are not prepared to deal with this kind of data yet. Not to say that you couldn't build something yourself from the raw logs but we're evaluating how to add several aspects of Forwarder behavior into our out-of-the-box self monitoring interfaces, this definitely being one aspect. ... View more

Thanks for the info. We've moved some capabilities of the Deployment Monitor App into the platform, namely the License Usage/Report. See this. I would also suggest looking at the S.o.S "Indexing and Forwarding" views that allow split-by Forwarders. For now unfortunately, a lot of the Forwarder-centric views/alerts that were in Deployment Monitor don't have an equivalent as we wind down support for Deployment Monitor but we are working on it actively. The Forwarder Management view (viewed in Settings on your Deployment Server, if you use Deployment Server) will give you some insight, a bit differently albeit than the "Missing Forwarder" alert in Deployment Monitor, about which Forwarders were talking to your Deployment Server instance but have ceased phoning home. See this. Definitely acknowledge this is a less active approach than an email alert. ... View more

Hello, I'm curious what features of the Deployment Monitor App you are using. Thanks. ... View more

Many apologies. We're working on putting the -class flag back in. Look for it in an upcoming maintenance release. ... View more

Are these Service Data Records? http://docs.oracle.com/cd/E39414_01/doc.61/e29455/sbpms_sdr.htm#CHDBCIFH ... View more

I believe that is a bug. Should be remedied in an upcoming maintenance release. ... View more

Yes. In the Clients Tab, If you go to All Clients, Deployed Partially then expand any of the individual clients, you should see a link to the deployment server logs that details the deployment error. ... View more

If your test machine has your 6.0 deployment server instance designated in deploymentclients.conf, then it should show up in the Forwarder Management UI. The Forwarder Management UI will show every deployment client that has ever phoned home until the deployment server instance splunkd is restarted. ... View more

About the only thing you can do is select "Phone Home: Within Expected". This will show everything that is currently active. If the IP or hostname of the Forwarder is constantly changing, then the Deployment Server will keep a record of the deployment client contact but the phone home will not be active. ... View more

We currently have no plans to remove the file integrity monitoring feature from Splunk without providing a native alternative. Fschange will continue to exist in the Splunk package as a fully supported feature until we have an equivalent. Deprecation simply means we are no longer making feature improvements to fschange specifically. This also means a future file integrity monitoring feature may not use the fschange stanza in inputs.conf but may be delivered through another method. Thanks, Splunk Product Management ... View more

If you are using Splunk 6 on both Forwarder and Indexer (or just ingesting logs locally on the indexer) set sourcetype=iis in your inputs.conf. Under the covers, this is using INDEXED_EXTRACTIONS=W3C in props.conf and will automatically pick up the header and use it for field mappings so you don't have to mess with props and transforms. http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime ... View more

If you are using Splunk 6 on both forwarder and indexer, you should try to take advantage of the headers feature we built that better understands IIS and W3C log formats. http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime If you are seeing this "iis-2" sourcetype, we are attempting to use the CHECK_FOR_HEADER feature which is deprecated as of Splunk 6 and never worked very well for this format. On your forwarder, you should have in inputs.conf [monitor:///path-to-directory] sourcetype=iis Under the covers, we are using props.conf to set INDEXED_EXTRACTIONS=W3C on the IIS sourcetype, ignore the first few lines of the header, and automatically map the fields found in the IIS header. ... View more

Just documenting secret hotness in 6.0: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime ... View more

We've deprecated CHECK_FOR_HEADER in Splunk 6 and replaced it with more robust header controls. See: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime ... View more

You can try to use header extraction for this if running Splunk 6: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime In props.conf [details] INDEXED_EXTRACTIONS=CSV There are additional controls as well if the header is not on the first line or is prefaced by other garbage. ... View more

In Splunk 6, you can choose one of the Date columns to use as the timestamp. http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime TIMESTAMP_FIELDS = Date1 ... View more

For Splunk 6, see: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime Specifically the example on ignoring useless long headers. ... View more