I am aware of getting the data from an universal forwarder?. Can anyone explain me the process of getting data from a heavy forwarder using CLI?
I would really appreciate if anyone can explain the step by step commands of getting the data..
My splunk search head is in stand alone environment.
First, just a quick correction to terminology: in Splunk terms, we would say that you are sending data from a forwarder to an indexer or to a standalone Splunk instance. We often use the term "receiver" so that we don't need to specify whether you are forwarding data to an indexer or a standalone Splunk server - or even to another forwarder. It is all configured in the same way. (But "forwarding data to a search head" seems weird and maybe wrong to experienced Splunk folks.)
Second, there are several manuals with step-by-step instructions for configuring the forwarder. I would start with this, the Forwarding Data manual. The advice from Lucas K is fine, but we could do a lot of back-and-forth on your specific needs. It is probably quicker just to start with the manual and ask clarifying questions if needed.
Finally, I would strongly suggest that you use a Universal Forwarder and not a Heavy Forwarder. There are very few cases where a heavy forwarder is needed, and it has performance pitfalls and other possible issues. Especially for a person who is new to Splunk, I suggest that a Universal Forwarder is a better choice. Why do you require a heavy forwarder?
But to ultimately answer your question, which is "how do I use the CLI for this"
On the receiver:
splunk enable listen port
On the forwarder:
splunk add forward-server receiver:port
Where port is any valid and open port number that you like (9997 is often used as an example). And receiver is either the IP address or DNS name of the receiver. However, if you are using a heavy forwarder, you should add the additional settings that Luke K showed in outputs.conf on the forwarder:
[tcpout]
defaultGroup=default-autolb-group
disabled=false
forwardedindex.filter.disable = true
You also need to switch the heavy forwarder to a Forwarder license from the trial license that is pre-installed. You do not need these settings if you are using the Universal Indexer.
First, just a quick correction to terminology: in Splunk terms, we would say that you are sending data from a forwarder to an indexer or to a standalone Splunk instance. We often use the term "receiver" so that we don't need to specify whether you are forwarding data to an indexer or a standalone Splunk server - or even to another forwarder. It is all configured in the same way. (But "forwarding data to a search head" seems weird and maybe wrong to experienced Splunk folks.)
Second, there are several manuals with step-by-step instructions for configuring the forwarder. I would start with this, the Forwarding Data manual. The advice from Lucas K is fine, but we could do a lot of back-and-forth on your specific needs. It is probably quicker just to start with the manual and ask clarifying questions if needed.
Finally, I would strongly suggest that you use a Universal Forwarder and not a Heavy Forwarder. There are very few cases where a heavy forwarder is needed, and it has performance pitfalls and other possible issues. Especially for a person who is new to Splunk, I suggest that a Universal Forwarder is a better choice. Why do you require a heavy forwarder?
But to ultimately answer your question, which is "how do I use the CLI for this"
On the receiver:
splunk enable listen port
On the forwarder:
splunk add forward-server receiver:port
Where port is any valid and open port number that you like (9997 is often used as an example). And receiver is either the IP address or DNS name of the receiver. However, if you are using a heavy forwarder, you should add the additional settings that Luke K showed in outputs.conf on the forwarder:
[tcpout]
defaultGroup=default-autolb-group
disabled=false
forwardedindex.filter.disable = true
You also need to switch the heavy forwarder to a Forwarder license from the trial license that is pre-installed. You do not need these settings if you are using the Universal Indexer.
Could you provide more information here on what you're trying to achieve? Are you trying to setup your heavy forwarder and your standalone Splunk instance to enable data forwarding? If yes, then process of enabling forwarding of HF or UF and enabling receiving on Indexer/Standalone full Enterprise is same. The only difference that you'll see between getting data from UF vs HF is that the sourcetype definition would be on Indexer/Standalone splunk in case of UF and the same would be configured in HF in case HF.
I'm trying to forward data from a heavy forwarder to the standalone splunk instance.
Forwarding data from a HF is the same as a UF (as somesoni2 already said).
Just set the destination on the outputs.conf on the HF to be the standalone splunk instance.
outputs.conf
[tcpout]
defaultGroup=standalone
disabled=false
forwardedindex.filter.disable = true
[tcpout:standalone]
server=mystandalonehost.com:9997
On the standalone instance make sure you are listening on the standard splunk receiving port (9997)
inputs.conf
[splunktcp://9997]