Archive
Highlighted

Using tcp in inputs.conf on a SplunkLightForwarder

Path Finder

My forwarder:

./etc/system/local/inputs.conf
[tcp:4444]
connection_host = ip

./etc/system/local/outputs.conf
[tcpout]
defaultGroup = index_nodes

[tcpout:index_nodes]
server = 10.1.1.2:5555

My indexer:

./etc/system/local/inputs.conf
[splunktcp://5555]
index = main
sourcetype = kevin

This does not work when my forwarder has the SplunkLightForwarder app enabled. But when I disable it and pretend it's a normal Splunk instance it works. ¿por qué?

Tags (1)
0 Karma
Highlighted

Re: Using tcp in inputs.conf on a SplunkLightForwarder

Splunk Employee
Splunk Employee

SplunkLightForwarder disables network inputs. The presumption is that if you're going to send something over the network, send it straight to the indexer rather than passing it thought a LWF. The input can be selectively re-enabled.

Highlighted

Re: Using tcp in inputs.conf on a SplunkLightForwarder

Path Finder

So I added the lines which made it work

./etc/system/local/default-mode.conf
[pipeline:tcp]
disabled = false

Would any of the other settings in default-mode.conf effect me, such as pipeline:fifo?

Thanks, K

View solution in original post

0 Karma