Hey there,
What is the best way (if any) to configure the Receiver host to accept forwarded data from itself? I thought it would be as easy as configuring the host as a receive and then forwarding data to itself from the forwarding configuration. But this does not seem to work.
Any advice?
Thank you for the response(s).
Basically, I wanted to make my splunk receiver a cron server as well. And I would like the output of the local cron scripts to be received and indexed by the local splunk listener.
I had set up the splunk server to listen on port 9997 then also configured it to forward to itself on that port. I then configured a local test script to run every 30 seconds through the splunk manager but found that the output of the script was not getting captured by the splunk server.
Is there a better way to do something like this than what I had understood?
I agree with @lukejadamec. Probably better to just read local files as ... local files, i.e. have a mixture of [monitor]
and [splunktcp]
stanzas in the inputs.conf
files on the Indexer. In theory, you could install a Forwarder on the same machine as the Indexer, to send the output to localhost:9997 (or whatever port you are using), but that seems ... unnecessary.
Again, what is the use case?
UPDATE:
The best way - from the way it sounds - is to just monitor the file that is created by the script.
inputs.conf (on the indexer)
[monitor:///path/to/file]
index = your_index
sourcetype = your_sourcetype
See these sections of the docs;
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories
http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirslocal
http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal
hope this helps,
/K
In what use case?
What do you want Splunk to do with the data after it sends it to itself?
Indexers are receivers, so there is no reason to send it in a loop.