Does anyone know a pattern for detecting half-duplex connections from server/laptop sources to server destinations? not switches, not routers. I am Splunk Cloud Version: 9.0.2305.101 ... View more

Hello, Running Splunk Universal Forwarder 7.3.6 (build 47d8552a4d84) on CentOS 7. I am sending two logs -- suricata and bro - to indexers in AWS. The default splunk group for these two is lbssl I want to split the two up like so: suricata goes to lbssl (as it always has) bro goes to NAD Based on this thread: https://community.splunk.com/t5/Getting-Data-In/How-can-we-send-data-to-2-different-groups-of-indexers/td-p/280318 I have set my outputs.conf file #ESG_072114_03 [tcpout] defaultGroup = lbssl [tcpout:lbssl] compressed = true server = old-url.com:443 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = long-encrypted-password-goes-here sslRootCAPath = $SPLUNK_HOME/etc/apps/ssl_forwarder/cert/ca_chain.pem sslVerifyServerCert = false [tcpout:NAD] compressed = true server = new-url-for-bro-NAD-flow:443 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = another-long-encrypted-password-goes-here sslRootCAPath = $SPLUNK_HOME/etc/apps/ssl_forwarder/cert/ca_chain.pem sslVerifyServerCert = false and in inputs.conf for the bro app added routing option: [default] _TCP_ROUTING = NAD host=server-name-goes-here-01 Never get any data for old-url which is the suricata flow that got to splunk before changes. new-url-for-bro-NAD-flow does appear to get data. Any thoughts on what is incorrect/misconfigured or additional needed configs would be helpful. ... View more

How would I monitor splunkforwarder traffic output to indexers from the splunkforwarder? Have the target indexer listed in outputs.conf; url and port. Monitor meaning is there traffic flowing to the indexers? This solution does not involve logging into Splunk dashboard -- must be performed from the splunkforwarder. Thanks for suggestions! 🙂 ... View more