![]() ![]() Many thanks in advance for the feedback and help. under /opt/splunk/etc/apps/my_app1/local/nf. venkatasri SplunkTrust 06-08-2021 05:31 PM Hi balcv crcSaltMaking on the other hand changes through Data inputs | Local inputs | Files & directories, so for the Indexer instead, through the GUI, does not remove "crcSalt" entries on the relevant nf file on the Indexer, e.g. Splunk-spec-files/nf Go to file Go to fileT Go to lineL Copy path. In my opinion this is not user friendly, a usual GUI-user might wonder why all of a sudden the indexed files won't show up as sources in the GUI anymore, not to mention a usual GUI user does not necessarily have access to command line level at all, to re-do the crcSalt entries. By running the btool and troubleshooting commands, we came to know t. Now the issue is few of the logs from a folder are missing on Indexers. These Universal Forwarders are managed by Deployment Server. The crcSalt entry however, only can be made through the command line on OS level and not through the GUI.Īs it turned out however, whenever a change is made in the GUI through Data inputs | Forwarded inputs | Files & directories to -any- of these entries there and saved, -all- the crcSalt entries in the nf file on the Forwarder disappear and manually will have to be re-done. Hi All, We have Splunk environment with nearly 1000 Universal Forwarders sending logs to Indexers. How to configure nf to apply crcsalt for only a few files under a directory/folder, not all of them brodgeico. COVID-19 Response SplunkBase Developers Documentation. 400 nf about 393 attributes 393 blacklist, using 394 crcSalt. So in respect to the above examples, the file looks afterwards like follows: Below is my current nf monitor://d:winevents recursive true. 440, 441 nf 416, 418 indextime search app URL 349 nf. Otherwise all source files won't be indexed properly or rather "won't be displayed as Sources" I should say. Unfortunately, as I mentioned, I dont have the option of editing the nf file - I am looking for a way to set the crcSalt option via the Command-Line Interface (CLI) - the moral equivalent of './splunk add monitor set crcSalt '. In our environment however, the need arose to add also the crcSalt = entry for each section on the Forwarders nf file. They are written on the Forwarder into file /opt/splunkforwarder/etc/apps/_server_app_SERVERCLASS1/local/nf, with SERVERCLASS1 being the Server Class.Įntries in the Forwarders nf look, after adding them through the GUI, for instance like this: In the GUI we configured (as admin user) for the Forwarder under Data inputs | Forwarded inputs | Files & directories certain entries. ![]() The OS on both hosts is CentOS Linux release Splunk tries its best to avoid re-indexing entire files that are ingesting via a monitor stanza. nf became simply: COVID-19 Response SplunkBase Developers Documentation. The Splunk Indexer and Forwarder we have are on these versions: Splunk 7.1.2 (build a0c72a66db66), Splunk Universal Forwarder 7.1.2 (build a0c72a66db66). Hi, turned out we also needed to add directive crcSalt in nf on UFs. I did run into the following issue and was wondering if anybody experienced the same and/or probably even has a solution: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |