Archive

Do I need universal forward to do intermediate forwarding on Guest2?

Path Finder

Hi,

I am forwarding data from a Nat VM Guest1 to Nat VM Guest2. I have installed universal forwarder to forward data to Guest2 and I can see data coming in. I then set the forwarding rules in splunk instance to forward out to Guest 3.

I noticed Guest 3 saw some data in but I haven't install universal forwarder on Guest2.

Do I actually need to install Universal FOrwarder on Guest2 to do it correctly?

0 Karma
1 Solution

Legend

Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?

If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].

Bye.
Giuseppe

View solution in original post

0 Karma

Path Finder

Thanks cusello!

0 Karma

Legend

Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?

If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].

Bye.
Giuseppe

View solution in original post

0 Karma

Champion

from Guest1, do you want to send data to both Guest2 and Guest3?
or
Guest1 to Guest2 and then from Guest2 to Guest3?

maybe, check once - Forward data to third-party systems
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

Path Finder

Guest1 to Guest2 and then from Guest2 to Guest3?

Currently in my system\local\ there is no prop.conf nor transform.conf. Do I have to create these files?

0 Karma