Getting Data In

Can you help me understand the forwarder to indexers data flow?

siemteam
Explorer

Hello,

I know that forwarders have the path /opt/splunk/etc/system/local where you can find files like inputs.conf, outputs.conf, props.conf... and when you create an input application (for example to read logs from a path) you have the path /app_folder/local where you can find files with the same name (inputs.conf, outputs.conf...)

Which is the difference between the files of each path?

In the case that you have different universal forwarders, and forward data to Heavy Forwarder to filter and finally send to indexers, how can I configure a heavy forwarders to define which app is going to work with the data from any source?

Thanks

0 Karma

skalliger
Motivator

Hey,

there are a few points to consider.
First of, forwarders usually have a different path, e.g. /opt/splunkforwarder/etc/.. So you know you're on a forwarder system and not a Splunk instance.

  1. There is a config file order, which is described here.
  2. You should go one way for defining your configs. Either you push them into apps and deploy those apps with a deployment server on your forwarders, then you will have all your configs inside your app's directories. On the other hand you could - for example on a heavy forwarder - have different configs in different directories which will make it really hard to know where your configs are. So decide which way you want to go. Either put them into system/local or put all necessary configs into the corresponding app directory.

Skalli

0 Karma

siemteam
Explorer

Thanks for the information, I undestand that /opt/splunk is intance (heavy FW for example) and /opt/splunkforwarder is used on UF, right?

At the moment, I'm getting data from a path of the same machine whre heavy forwarder is installed (the data is being received throught rsyslog), but now I need to receive data from another heavy forwarder used by another company (this HFW cannot send logs directly to my indexers), here is where I need to undestand how to configure it to forward me logs from one platform (the heavy forwarder works with data of many other platforms).

I'm going to read the provided link about precedence to clarify how it works.

A lot of thanks

0 Karma

skalliger
Motivator

That's correct. For a simple configuration overview, I simply link to my own answer in the past how to configure to send data from one forwarder to another: how to configure an intermediate forwarder.
So in this case, their HF will send data to your HF and you will then forward it to your indexers.
I hope this answers your question. 🙂

Skalli

0 Karma

siemteam
Explorer

A lot of thanks, I'm going to check it!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...