https://community.splunk.com/t5/Getting-Data-In/Is-there-an-example-configuration-available-for-an-Intermediate/m-p/22810#M3553 <P>Referring to <A href="http://www.splunk.com/base/Documentation/latest/admin/Aboutforwardingandreceiving" rel="nofollow">http://www.splunk.com/base/Documentation/latest/admin/Aboutforwardingandreceiving</A>, under the section "Intermediate forwarding" - is there a configuration example available?</P> <P>I'd like to see an example of a heavy forwarder. </P> Sat, 08 Jan 2011 01:50:48 GMT charliesullivan 2011-01-08T01:50:48Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-example-configuration-available-for-an-Intermediate/m-p/22810#M3553 <P>Referring to <A href="http://www.splunk.com/base/Documentation/latest/admin/Aboutforwardingandreceiving" rel="nofollow">http://www.splunk.com/base/Documentation/latest/admin/Aboutforwardingandreceiving</A>, under the section "Intermediate forwarding" - is there a configuration example available?</P> <P>I'd like to see an example of a heavy forwarder. </P> Sat, 08 Jan 2011 01:50:48 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-example-configuration-available-for-an-Intermediate/m-p/22810#M3553 charliesullivan 2011-01-08T01:50:48Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-example-configuration-available-for-an-Intermediate/m-p/22811#M3554 <P>Here are sample configs from my setup (Lightweight forwarders -&gt; Heavy forwarder -&gt; Indexer).</P> <P>My Lightweight forwarders (LWFs) are configured just like any other LWF would be configured (as in <A href="http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving#Set_up_light_forwarding_with_Splunk_Web" rel="nofollow">enable the lightweight forwarder app</A>). LWF's <STRONG>outputs.conf</STRONG>. This forwards on port 9997 to the host "myHWF":</P> <PRE><CODE>[tcpout] defaultGroup = myHWF_9997 disabled = false [tcpout:myHWF_9997] server = myHWF:9997 [tcpout-server://myHWF:9997] </CODE></PRE> <P>Then you configure the Heavyweight forwarder (HWF) to both receive and forward data (<A href="http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving#Set_up_regular_forwarding_with_Splunk_Web" rel="nofollow">enable the forwarder app</A>). HWF <STRONG>inputs.conf</STRONG>. This enables receiving on port 9997:</P> <PRE><CODE>[splunktcp://9997] </CODE></PRE> <P>HWF <STRONG>outputs.conf</STRONG>. This enables forwarding of data on port 9998. Note that I have disabled indexing at this HWF by setting indexAndForward to false. This keeps Splunk from indexing the events that are being forwarded to it by the LWFs. In addition I am encrypting this connection via SSL:</P> <PRE><CODE>[tcpout] defaultGroup = splunk01 indexAndForward = false [tcpout:splunk01] server = splunk01:9998 compressed = true [tcpout-server://splunk01:9998] sslCertPath = $SPLUNK_HOME\etc\auth\server.pem sslPassword = XXXXXXXXXXXXXXXXX sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem sslVerifyServerCert = false </CODE></PRE> <P>And finally at the Indexer configure your <STRONG>inputs.conf</STRONG>. Receiving on port 9998; again, with SSL settings:</P> <PRE><CODE>[splunktcp-ssl:9998] compressed = true [SSL] password = XXXXXXXXXXXXX requireClientCert = false rootCA = $SPLUNK_HOME\etc\auth\cacert.pem serverCert = $SPLUNK_HOME\etc\auth\server.pem </CODE></PRE> <P>And that's basically it. Events from your LWF's get pooled at your HWF, which then sends them on to your Indexer.</P> Sat, 08 Jan 2011 03:22:59 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-example-configuration-available-for-an-Intermediate/m-p/22811#M3554 ftk 2011-01-08T03:22:59Z