Getting Data In

Can you help me understand the forwarder to indexers data flow?

siemteam
Explorer

Hello,

I know that forwarders have the path /opt/splunk/etc/system/local where you can find files like inputs.conf, outputs.conf, props.conf... and when you create an input application (for example to read logs from a path) you have the path /app_folder/local where you can find files with the same name (inputs.conf, outputs.conf...)

Which is the difference between the files of each path?

In the case that you have different universal forwarders, and forward data to Heavy Forwarder to filter and finally send to indexers, how can I configure a heavy forwarders to define which app is going to work with the data from any source?

Thanks

0 Karma

skalliger
SplunkTrust
SplunkTrust

Hey,

there are a few points to consider.
First of, forwarders usually have a different path, e.g. /opt/splunkforwarder/etc/.. So you know you're on a forwarder system and not a Splunk instance.

  1. There is a config file order, which is described here.
  2. You should go one way for defining your configs. Either you push them into apps and deploy those apps with a deployment server on your forwarders, then you will have all your configs inside your app's directories. On the other hand you could - for example on a heavy forwarder - have different configs in different directories which will make it really hard to know where your configs are. So decide which way you want to go. Either put them into system/local or put all necessary configs into the corresponding app directory.

Skalli

0 Karma

siemteam
Explorer

Thanks for the information, I undestand that /opt/splunk is intance (heavy FW for example) and /opt/splunkforwarder is used on UF, right?

At the moment, I'm getting data from a path of the same machine whre heavy forwarder is installed (the data is being received throught rsyslog), but now I need to receive data from another heavy forwarder used by another company (this HFW cannot send logs directly to my indexers), here is where I need to undestand how to configure it to forward me logs from one platform (the heavy forwarder works with data of many other platforms).

I'm going to read the provided link about precedence to clarify how it works.

A lot of thanks

0 Karma

skalliger
SplunkTrust
SplunkTrust

That's correct. For a simple configuration overview, I simply link to my own answer in the past how to configure to send data from one forwarder to another: how to configure an intermediate forwarder.
So in this case, their HF will send data to your HF and you will then forward it to your indexers.
I hope this answers your question. 🙂

Skalli

0 Karma

siemteam
Explorer

A lot of thanks, I'm going to check it!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...