topic Re: Indexer and Heavy Forwarder in once? in Getting Data In

Indexer and Heavy Forwarder in once?

wplank — Wed, 07 Oct 2015 05:13:08 GMT

Hello community,

we would like to forward a subset of syslog data to a 3rd party syslog host.
So, no problem, this is possible with a forwarder or a heavy forwarder (http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Forwarddatatothird-partysystemsd).

But, I want to do this on our (single) indexer.
What happens if I add a outputs.conf, and so change the indexer to a heavy forwarder?

Is still everything (search, dashboards, alerts, ...) working as it should, plus the posibilities of a heavy forwarder?

Thanks for your help.

Re: Indexer and Heavy Forwarder in once?

Yasaswy — Wed, 07 Oct 2015 14:53:04 GMT

Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:

Re: Indexer and Heavy Forwarder in once?

chaker — Wed, 07 Oct 2015 14:54:23 GMT

Hi,

I would not do it this way. I'd leave the job to the universal forwarder.

If you do want to have your indexer send the events to 3rd party, you will need this in your outputs.conf
[indexAndForward]
index=true
selectiveIndexing=true

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:

# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
#    index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers

Re: Indexer and Heavy Forwarder in once?

somesoni2 — Wed, 07 Oct 2015 15:03:36 GMT

Indexer/Search Head/Heavy Forwarder/Deployment server/License Master are the roles that you assign to your Splunk Enterprise instance. One instance can perform multiple role (may be all of the roles if configured).