topic Re: Forward data from splunk to splunk instance in Getting Data In

Forward data from splunk to splunk instance

jmsiegma — Wed, 23 Apr 2014 19:39:36 GMT

I have a network where I have a splunk instance that is off to the side on my network, as in:

Core Splunk Instance (S1) -> Remote Site Splunk (S2) -> Sub Remote Site (S3) -> Clients (C1) Universal Forwarders

What I would like to do is have all the clients on the far end (C1) running splunks universal forwarder to send their data to the local splunk server (S3), and then have that server pass all the data to a in-between splunk server (S2), which will do nothing more than forward it to the core splunk instance (S1), but I am unsure how I would configure this, or what it would be referred to in the splunk documentation world.

The reason for doing this, is that the splunk site (S3) does not have a way to communicate with the Core Splunk Site (S1) so I have to forward it through a middle man of some type, and given I have a Splunk server in the middle, I have been hinted that, this is possible.

I do not need (S2) or (S3) to be able to keep the files, just simply forward them down stream to the Core Splunk instance.

My questions are:

What type of install does Splunk Servers (S2) & (S3) have to be to be able to do this? Universal or Full or Either?
What would the configs look like on (S3) & (S2) to make this happen.

Thank you

Re: Forward data from splunk to splunk instance

martin_mueller — Wed, 23 Apr 2014 22:38:26 GMT

The Splunks in the middle for forwarding without storing are called intermediate forwarders. Usually a Universal Forwarder install is enough, and it does not consume license volume because it doesn't do any indexing. The basic config looks like this:

C1: Enable outputs.conf to send to S3
S3: Enable receiving in inputs.conf, set outputs.conf to send to S2
S2: Enable receiving in inputs.conf, set outputs.conf to send to S1
S1: Enable receiving in inputs.conf

S1 is a regular full-fat Splunk instance that does the parsing and indexing, the others only forward data.

Here's an entry point into the docs on intermediate forwarders: http://docs.splunk.com/Documentation/Splunk/6.0.3/Forwarding/Forwarderdeploymenttopologies#Intermediate_forwarding

Re: Forward data from splunk to splunk instance

jmsiegma — Thu, 08 May 2014 04:55:57 GMT

On (S3) Farthest from the Core:

Create: inputs.conf

[splunktcp://9997]
disabled = 0 
compressed = true

Create: outputs.conf

[tcpout:splunkindexer_9997]
server={IP of S2):9997
heartbeatFrequency = 30
compressed = true

On (S2):
Create: inputs.conf

[splunktcp://9997]
disabled = 0
compressed = true

Create: outputs.conf

[tcpout]
defaultGroup=splunkindexer_9997

[tcpout:splunkindexer_9997]
server={cluster IP1}:9997, {cluster IP2}:9997, {cluster IP3}:9997, {cluster IP4}:9997
heartbeatFrequency = 30
autoLBFrequency=30
compressed = true
useACK = true