Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Chaining Universal Forwarder

nikhilmehra79
Path Finder
‎03-31-2014 03:59 PM

I am trying to do this:
Universal Forwarder1--> TCP 9997 --> Universal Forwarder2--> TCP 9997 --> Indexer (Search Head)

I see packets from UF 1 leaving on firewalls and received on UF 2, but not sure which file i need to make UF 2 take those packets and send to Indexer

Is this Input.conf at UF 2 that i need to modify? How does UF 2 know that it needs to take packetes from UF 1 and fwd to Indexer.

0 Karma
Reply

echalex
Builder
‎04-01-2014 02:27 AM

In order to enable the intermediary forwarders to listen to data, you have to add a stanza to your inputs.conf

[splunktcp://9997]

Or, if you want SSL:

[splunktcp-ssl://9997]

A universal forwarder does no local indexing, so the events will be forwarded, as specified in outputs.conf, by default. You can specify which indexes should be forwarded by changing the blacklists and whitelists in outputs.conf. Have a look at system/default/outputs.conf to see what is blacklisted and whitelisted by default. Basically, everything is forwarded, except anything starting with an underscore.

Two comments in general:

  1. If you can avoid an intermediary forwarder, you may be better off without one. For me, they have caused more problems than they have solved.
  2. You may want to consider a heavy forwarder, depending on your needs.
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2014 02:17 AM

On the intermediate forwarder (UF2) you'll need to enable receiving and forwarding. From the CLI, you'd do this:

$SPLUNK_HOME/bin/splunk add forward-server yourserver:9997
(possibly multiple more receivers)
$SPLUNK_HOME/bin/splunk enable listen 9997

The first line modifies outputs.conf by adding the servers to the default group, the last line modifies inputs.conf by adding a [splunktcp://9997] stanza.

Note, I've seen _internal indexes sent from UFs to indexers but dropped when putting an intermediate forwarder in between. If you see that as well and want to forward them on, add this to the [tcpout] stanza of outputs.conf on the intermediate forwarder (UF2):

forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = (_internal|_audit)
forwardedindex.2.blacklist = _.*
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...