Hello,
I know that forwarders have the path /opt/splunk/etc/system/local where you can find files like inputs.conf, outputs.conf, props.conf... and when you create an input application (for example to read logs from a path) you have the path /app_folder/local where you can find files with the same name (inputs.conf, outputs.conf...)
Which is the difference between the files of each path?
In the case that you have different universal forwarders, and forward data to Heavy Forwarder to filter and finally send to indexers, how can I configure a heavy forwarders to define which app is going to work with the data from any source?
Thanks
Hey,
there are a few points to consider.
First of, forwarders usually have a different path, e.g. /opt/splunkforwarder/etc/.. So you know you're on a forwarder system and not a Splunk instance.
Skalli
Thanks for the information, I undestand that /opt/splunk is intance (heavy FW for example) and /opt/splunkforwarder is used on UF, right?
At the moment, I'm getting data from a path of the same machine whre heavy forwarder is installed (the data is being received throught rsyslog), but now I need to receive data from another heavy forwarder used by another company (this HFW cannot send logs directly to my indexers), here is where I need to undestand how to configure it to forward me logs from one platform (the heavy forwarder works with data of many other platforms).
I'm going to read the provided link about precedence to clarify how it works.
A lot of thanks
That's correct. For a simple configuration overview, I simply link to my own answer in the past how to configure to send data from one forwarder to another: how to configure an intermediate forwarder.
So in this case, their HF will send data to your HF and you will then forward it to your indexers.
I hope this answers your question. 🙂
Skalli
A lot of thanks, I'm going to check it!