topic Re: forward data from a receiver in Getting Data In

forward data from a receiver

sansri7680 — Fri, 22 Mar 2013 15:50:59 GMT

I have a Universal forwarder forwarding data from windows machine and I have created a receiver in the Splunk instance which resides in the Linux server. Instead of creating an input that takes data from the receiver, I want to forward the raw data received by the receiver to the indexer and get it indexed properly as we know Universal forwarder doesn't split the events in the data and just forwards the data to a receiver. I need to split the forwarded raw data into events and index it. Can someone throw some light on this

Thanks in advance
Subbu

Re: forward data from a receiver

yannK — Fri, 22 Mar 2013 15:57:56 GMT

enable receiving on the indexer, and configure forwarding on the forwarder.

see http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Setupforwardingandreceiving

Re: forward data from a receiver

Matthias_BY — Fri, 22 Mar 2013 16:03:41 GMT

Hi Subbu,

what is the main goal you try to solve?

The topology is that the universal forwarder sends data directly to the indexer where it get's indexed. if you have multiline logs the universal forwarder will send them line by line to the indexer, and the indexer will make sure they are re-constructed e.g. you can configure line merging by defining the source type. you might also split them.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Indexmulti-lineevents

Br
Matthias

Re: forward data from a receiver

sansri7680 — Mon, 28 Sep 2020 13:35:44 GMT

Here are the configurations that I did
Universal forwarder output.conf ($SPLUNK_HOME/etc/system/local) on windows
[tcpout]
defaultGroup = 10.200.221.158_9997
disabled = false

[tcpout:10.200.221.158_9997]
server = 10.200.221.158:9997

[tcpout-server://10.200.221.158:9997]

Heavy forwarder Input.conf ($SPLUNK_HOME/etc/system/local) on linux machine
[splunktcp://9997]

Indexer Inputs.conf ($SPLUNK_HOME/etc/apps/search/local
[splunktcp://9998]

Indexer props.conf
[4GCDR]
BREAK_ONLY_BEFORE = (.*)(INBOUND>>>>>|<<<<OUTBOUND)
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
TRUNCATE=0

Re: forward data from a receiver

sansri7680 — Mon, 25 Mar 2013 13:28:49 GMT

what I am trying to do is that I am forwarding a 4G network log from the windows machine to the splunk instance on the linux server and trying to index the data there. I have only a universal forwarder installed in the windows end but a full splunk instance on the linux end. Even after doing the above config the events are not getting split whatever changes done to the log is coming in as a single record. The Regex logic is fine if tested in isolation