We have a deployment scenario where Splunk UF forwards the Data to Splunk Enterprise using "One Way Communication", so is there any way we can have the Splunk UF Communicates with the Splunk UE through UDP Protocol?
Our scenario is like we are having multiple Universal Forwarders forwarding data to Splunk Enterprise through One Way, in between the UF's and Splunk Enterprise there is a Proxy server which carries the TCP packets from Multiple UF's and the Splunk Enterprise. When the data reaches the Enterprise it will shows the host IP of the Proxy Server address, so all the forwarded events will be treated as the events from the Proxy server, is there any way we can get the host details/IP address of each sources(UF's).
you can have TCP also to have one way communication. meaning connection will be always initiated by Universal forwarder. you need to open a firewall rule src to dest on port 9997 ( default).
I don't think you can forward over UDP to Splunk Enterprise from Splunk Universal forwarder. you need to have syslog installed on Splunk Enterprise server for that.