@PickleRick  query. i am able to forward iis logs from window server using splunk forwarder to heavy forwarder [ splunk forwarder --> Heavy forwarder --> syslog remote server but heavy forwarder not able to send logs or data to syslog server . is there any way to check whether it is sending data or not from HF to syslog server please share the configuration at HF end to send data to syslog server specifically that props.conf , transforms.conf , outputs.conf  any setting needed for inputs.conf as well at HF end ? ... View more

@PickleRick  without forwarding data to splunk heavy forwarder i cannot send to syslog server  do you have any alernative for this like to  forward ftop logs from window directory to syslog server without using splunk  ... View more

@PickleRick , you mean with heavyforwarder it is possible to fwd txt logs files exist in folder . if it is possible  please share me the configurations file for inputs.conf and outputs.conf  whatever needed to send data to syslog server ... View more

Hi , plese help , how can i send data directly to  remote system , or syslog without indexing. please provide the config settings for inputs.conf, outputs.conf, props.conf , transforms.conf you help is appreciated. thanks ... View more

@isoutamo  i have placed networker_inputs app at both places SH and HF at /apps i have disabled data inputs on SH and it is enabled on HF HF props.conf  [json_scripted_input] INDEXED_EXTRACTIONS=json TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z TIMESTAMP_FIELDS=timestamp DATETIME_CONFIG = SH props.conf [json_scripted_input] #INDEXED_EXTRACTIONS=json TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z TIMESTAMP_FIELDS=timestamp DATETIME_CONFIG = KV_MODE = none please check and let me know is it fine ? ... View more

after adding this indexed_extractions = json , i am getting duplicate field values ... View more

@isoutamo  after change above configurations in HF for props.conf , i am getting none for timestamp field TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z TIMESTAMP_FIELDS=timestamp DATETIME_CONFIG =   help here ... View more

@isoutamo  any update  ... View more

any resolution will be appreciable here you were telling one more solution if indexed_extractions is set to none.  you sugest to convert timestamp to _time  can you tell me how can i do it and where in props.conf in HF or Search head. Thanks ... View more

any specific logs i need check in internal logs to troubleshoot certifcate issue ... View more

i have moved scripted input app to HF . but nothing changed . same duplicate values are coming. props.conf also there on HF. do i need to configure props.conf on Search head as well    ... View more

do you want me to place scripted input on HF ? and KV_MODE=none on SH . one doubt does it makes any changes . will it solved the problem of duplicate values ? please find the output of SH node of above command.   splunk btool props list json_scripted_input --debug | egrep '(INDEXED_EXTRACTIONS|KV_MODE|AUTO_KV_JSON)' /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/apps/networker_inputs/local/props.conf INDEXED_EXTRACTIONS = json /opt/splunk/etc/apps/networker_inputs/local/props.conf KV_MODE = none ... View more

should_line_merge=false does not make any difference in output. i am not using kv_mode=json in other places . still i am getting duplicate field values. ... View more

props.conf [json_scripted_input] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=json KV_MODE=none category=Structured description=Your own JSON definition for networker_alerts.py script disabled=false pulldown_type=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z TIMESTAMP_FIELDS=timestamp timestamp is present in scripted input output  ... View more

i have distributed env.  search heads and indexers are in clustering ,  search heads are not in shclustering  heavy forwarder is also there i was testing this script on dev environment before making changes in prod. so i have placed scripted inputs on search head not on HF  props.conf is also on search head containing below configs as you mentioned in above post [json_scripted_input] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=json                 [on search head] KV_MODE=none                                              [on search head] category=Structured description=Your own JSON definition for networker_alerts.py script disabled=false pulldown_type=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z TIMESTAMP_FIELDS=timestamp #AUTO_KV_JSON=false INDEXED_EXTRACTIONS=json ( when i disable it , category, message and priority field goes fine with single                                                                            value, but timestamp got 2 values i.e none and timestamp)                                                                  and when i enable it, all field having duplicates values, timestamp also                                                                               having duplicate values without none please suggest  also let me know if i am not using indexed_extractions=json, how can i convert timestamp into _time ... View more

when i removed indexed_extractions from props.conf again i start getting same data as it was in starting like  category, priority and message field as single value but timestamp field again  with 2 values like  none value timestamp if there was any kv_mode=json on any node like search head . data would not  have come back in old format  it would have been duplicate values only   ... View more

all fields duplicated which are coming in scripted input output. like below category message priority timestamp script output {"category": "disk space", "message": "'xxx' host '/nsr' disk path occupied with '92.42%' of disk space. Free up the space.", "priority": "warning", "timestamp": "2023-07-03T08:51:25+02:00"} timestamp is different field then _time. coming in outputs as shown above ... View more

@isoutamo , what will be the solution. please help ... View more

there is only single event in splunk web it is showing but when i am checking timestamp field with  index=xx | table timestamp. it is showing multiple values in single field. both parameter are not json as per your props.conf values given by you these are the settings. indexed_extractions= json kv_mode = none  ... View more

none is removed from timestamp field . but now i am getting duplicate values in timestamp field for single event see below. please help to resolve this   ... View more

@isoutamo , can you help me to understand what was the issue ,  one doubt, if i  put props.conf in /opt/splunk/etc/system/local, it will be used by all data inputs right. here i have kept it inside /etc/apps/<app_name>/local folder .  only   ... View more

thankyou isoutamo, this solution solved my problem ... View more