Deployment Architecture

how can i configure my search head to get the data from a heavy forwarder using CLI(Command Line Interface)?

pavanae
Builder

I am aware of getting the data from an universal forwarder?. Can anyone explain me the process of getting data from a heavy forwarder using CLI?

I would really appreciate if anyone can explain the step by step commands of getting the data..

My splunk search head is in stand alone environment.

0 Karma
1 Solution

lguinn2
Legend

First, just a quick correction to terminology: in Splunk terms, we would say that you are sending data from a forwarder to an indexer or to a standalone Splunk instance. We often use the term "receiver" so that we don't need to specify whether you are forwarding data to an indexer or a standalone Splunk server - or even to another forwarder. It is all configured in the same way. (But "forwarding data to a search head" seems weird and maybe wrong to experienced Splunk folks.)

Second, there are several manuals with step-by-step instructions for configuring the forwarder. I would start with this, the Forwarding Data manual. The advice from Lucas K is fine, but we could do a lot of back-and-forth on your specific needs. It is probably quicker just to start with the manual and ask clarifying questions if needed.

Finally, I would strongly suggest that you use a Universal Forwarder and not a Heavy Forwarder. There are very few cases where a heavy forwarder is needed, and it has performance pitfalls and other possible issues. Especially for a person who is new to Splunk, I suggest that a Universal Forwarder is a better choice. Why do you require a heavy forwarder?

But to ultimately answer your question, which is "how do I use the CLI for this"

On the receiver:

splunk enable listen port

On the forwarder:

splunk add forward-server receiver:port

Where port is any valid and open port number that you like (9997 is often used as an example). And receiver is either the IP address or DNS name of the receiver. However, if you are using a heavy forwarder, you should add the additional settings that Luke K showed in outputs.conf on the forwarder:

[tcpout]
defaultGroup=default-autolb-group
disabled=false
forwardedindex.filter.disable = true

You also need to switch the heavy forwarder to a Forwarder license from the trial license that is pre-installed. You do not need these settings if you are using the Universal Indexer.

View solution in original post

0 Karma

lguinn2
Legend

First, just a quick correction to terminology: in Splunk terms, we would say that you are sending data from a forwarder to an indexer or to a standalone Splunk instance. We often use the term "receiver" so that we don't need to specify whether you are forwarding data to an indexer or a standalone Splunk server - or even to another forwarder. It is all configured in the same way. (But "forwarding data to a search head" seems weird and maybe wrong to experienced Splunk folks.)

Second, there are several manuals with step-by-step instructions for configuring the forwarder. I would start with this, the Forwarding Data manual. The advice from Lucas K is fine, but we could do a lot of back-and-forth on your specific needs. It is probably quicker just to start with the manual and ask clarifying questions if needed.

Finally, I would strongly suggest that you use a Universal Forwarder and not a Heavy Forwarder. There are very few cases where a heavy forwarder is needed, and it has performance pitfalls and other possible issues. Especially for a person who is new to Splunk, I suggest that a Universal Forwarder is a better choice. Why do you require a heavy forwarder?

But to ultimately answer your question, which is "how do I use the CLI for this"

On the receiver:

splunk enable listen port

On the forwarder:

splunk add forward-server receiver:port

Where port is any valid and open port number that you like (9997 is often used as an example). And receiver is either the IP address or DNS name of the receiver. However, if you are using a heavy forwarder, you should add the additional settings that Luke K showed in outputs.conf on the forwarder:

[tcpout]
defaultGroup=default-autolb-group
disabled=false
forwardedindex.filter.disable = true

You also need to switch the heavy forwarder to a Forwarder license from the trial license that is pre-installed. You do not need these settings if you are using the Universal Indexer.

0 Karma

somesoni2
Revered Legend

Could you provide more information here on what you're trying to achieve? Are you trying to setup your heavy forwarder and your standalone Splunk instance to enable data forwarding? If yes, then process of enabling forwarding of HF or UF and enabling receiving on Indexer/Standalone full Enterprise is same. The only difference that you'll see between getting data from UF vs HF is that the sourcetype definition would be on Indexer/Standalone splunk in case of UF and the same would be configured in HF in case HF.

0 Karma

pavanae
Builder

I'm trying to forward data from a heavy forwarder to the standalone splunk instance.

0 Karma

Lucas_K
Motivator

Forwarding data from a HF is the same as a UF (as somesoni2 already said).

Just set the destination on the outputs.conf on the HF to be the standalone splunk instance.

outputs.conf
[tcpout]
defaultGroup=standalone
disabled=false
forwardedindex.filter.disable = true

[tcpout:standalone]
server=mystandalonehost.com:9997

On the standalone instance make sure you are listening on the standard splunk receiving port (9997)
inputs.conf
[splunktcp://9997]

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...