- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to set up forwarder and Indexer?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
first of all, questions can be very under-leveled compare to the other community questions, therefore, please don't make any bad comments; I understand.
Baseline
-Win2019 Server (Server A), Splunk Enterprise installed and will be used as a main SEARCH HEAD and INDEXER
-Win2019 Server (Server B), Installed Universal Forwarder and connected to the Server A, AND will be forwarding data that I will manually feed.
-RedHat (Server X) (syslog server), Installed Universal Forwarder and connected to the Server A, and I want this to send the syslogs to Server A
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
?How can I can I change the destination indexer from Server X to Server A?
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
???also how can I select which logs to send, and not to send???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!
Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.
Then in general you sometimes confused Index with Indexer:
- Indexer is a Splunk Server with the Indexers Role containing the indexes,
- Index is a silos containg data.
Anyway, aswering to your questions:
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
- anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-nix (https://splunkbase.splunk.com/app/833/😞 you need only to enable inputs.
- anyway, all inputs are in inputs.conf files that can be in more locations:
- SPLUNK_HOME/system/default
- SPLUNK_HOME/system/local
- SPLUNK_HOME/apps/<your_app>/default
- SPLUNK_HOME/apps/<your_app>/local
- You can find them using the btool CLI command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...).
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
- never use the same IP for different Clients!
?How can I can I change the destination indexer from Server X to Server A?
- You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
- see above answer
???also how can I select which logs to send, and not to send???
- you can use "whitelist" and "blacklist" options
In general I hint to follow some Splunk training starting from "Getting data in":
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain
https://www.youtube.com/watch?v=gHzUW9oOvKA
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk
https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html
In other words: use Google Search to search docs containing "Splunk getting data in".
I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!
Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.
Then in general you sometimes confused Index with Indexer:
- Indexer is a Splunk Server with the Indexers Role containing the indexes,
- Index is a silos containg data.
Anyway, aswering to your questions:
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
- anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-nix (https://splunkbase.splunk.com/app/833/😞 you need only to enable inputs.
- anyway, all inputs are in inputs.conf files that can be in more locations:
- SPLUNK_HOME/system/default
- SPLUNK_HOME/system/local
- SPLUNK_HOME/apps/<your_app>/default
- SPLUNK_HOME/apps/<your_app>/local
- You can find them using the btool CLI command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...).
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
- never use the same IP for different Clients!
?How can I can I change the destination indexer from Server X to Server A?
- You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
- see above answer
???also how can I select which logs to send, and not to send???
- you can use "whitelist" and "blacklist" options
In general I hint to follow some Splunk training starting from "Getting data in":
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain
https://www.youtube.com/watch?v=gHzUW9oOvKA
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk
https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html
In other words: use Google Search to search docs containing "Splunk getting data in".
I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
Yes, my wordings are confusing but do understand difference between index/indexer.
Again, saved me, Legend!
P.S. Sorry but I will have one more question coming up...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
good for you, see next time!
If you'll have new questions on a different argument, please open a new questions, not continue on this one.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First and foremost, if you're installing UF on a host, you don't want to send syslog from this host to Splunk from there. You might want to _receive_ syslog from remote hosts.
Anyway, the default index for any input is "main" (I mean with default config - out of the box). Any input can have its destination index reconfigured. And for Splunk's internal data it's reconfigured to the _internal index.
So if you just add an input without any additional configuration, it will be sent to the default "main" index. If you add a proper entry in inputs.conf, the events will be sent to that index.
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
