Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Collector/Forwarder

fisk12
Path Finder
‎04-25-2011 01:13 PM

Say for example i have a environment that is being split into two different networks (routed through different firewalls) I have my "main" splunk server on one of the network. Is is possible to use one or more splunk instance as "collectors" on the other net and send it to the main splunk server. I rather don't want to set up routing/firewalls opening more then absolutely necessary.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 02:57 PM

Cool, so basically i just have to set the servers on Net a to send their stuff to "Box A" and then just set "Box A" as a forwarder and send its stuff to box B?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 01:30 PM

You can absolutely set up a firewall between separate subnets, but as with anything IP based, you're going to need firewall rules to allow it. If you set up a forwarder in subnet A, it's going to forward to whatever port you define in your inputs.conf on the indexer (and outputs.conf on the forwarder). You can set whatever port you want, though, so it will you don't need to allow TCP Any, or port 80/443, or etc. You could, say, use port 12345, which is nice and distinct for firewall admins.

Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 02:40 PM

Ah ha, gotcha. Unless you're sending obscenely large amounts of data, or have an obscenely underpowered box in Net A, that should work fine. Forwarding is very resource light, so you can have a local forwarder send everything to the main box. Just note that you have to have the box in Net A be a forwarder, rather than an indexer. You can't double-index the data, unless you have the licensing to support it.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 01:41 PM

Yeah well im also doing a big part of the firewall stuff myself so i know about that stuff. What i meant was if its working good to have some servers on Net A send their stuff to a smaller splunk server on net A, that server then sends it stuff to the "real" splunk server on net B. With that i only have the static route between the two splunk servers configured, insted of the hole net A- Net B.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...