I'm trying to set up a test environment to be used in production. Will be taking data from another Splunk heavy forwarder (HF) and sending it to our HF.
Must use UDP to transmit the data.
I have played around with creating the output.conf/input.conf, props.conf, and transforms. But it keeps looking like it's indexing in the first HF, and not getting to the second HF.
I have tested with Netcat that UDP is sent to the other machine (UDP) watching with tcpdump.
Was using UDP:1514 for testing purposes.
If anyone can assist. I can try and add the .conf files, but I think they are all messed up now, that not sure if it would be helpful to post them.
Have you seen this exact example: https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Outputsconf#Syslog_output----
This should do it (in outputs.conf 😞
[syslog]
defaultGroup = mySyslogServer
[syslog:mySyslogServer]
server = [<ip>|<servername>]:<port>
type = udp
I highly advise against sending UDP directly to Splunk using UDP listener. Instead, setup syslog-ng
as described here:
http://www.georgestarcher.com/splunk-success-with-syslog/
one way connection so use UDP. I can see data coming from the HF1 to HF2 using tcpdump watching port 514. But its not being indexed. Below are my conf files. Probably something wrong in the
HF1#
outputs.conf
[syslog:syslog-output1]
server: X.X.X.6:514
type: udp
Prop.conf
[host::local*]
TRANSFORMS-syslog = send_to_syslog
Transforms
[send_to_syslog]
dest_key = _SYSLOG_ROUTING
FORMAT = syslog_out1
INPUTS (HF#2)
[udp://514]
_rcvbuf = 16777216
queueSize = 2048mb
persistantQueueSize = 4096mb