Good morning livehybrid,

Thank you very much for your suggestion. This sounds exactly something I was looking for.

Could you please point me in the right direction on how to create such index definition?

Will also try to research on the subject.

Again, much appreciated.

Kind Regards,

Mike.

The easiest way is copy your indexes.conf from your cluster manager. Then just ensure that it doesn’t contains any SmartStore or other unknown targets etc. then create a new app which contains only this indexes.conf and other files which are needed by any app. Then install this app into your HF.
But as said, you should use some real syslog server instead of use splunk tcp/udp inputs for getting syslog feed into splunk. Even splunk can do it, there are some side effects with it. Probably the biggest is that you will lost all syslog events when you are restarting HF. And this could take several minutes instead of using syslog server or clustered syslog implementation.
You could easily find some old posts where we have discussed about it and give some hints how to do it.

Hi @BoscoBaracus ,

completing this answer: usually HFs are managed by a Deployment Server, so you don't need to use the GUI to configure inputs, and so you can set the correct index in the conf file.

Ciao.

Giuseppe

Good morning gcusello,

Aha, makes sense.

Will try to move the HF to a deployment server then:-)

Much appreciated.

Kind Regards,

Mike.

Hi @BoscoBaracus ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Hi @BoscoBaracus ,

only to be clear:

• Indexers are managed by a  management node called Cluster Manager,
• Heavy Forwarders are managed by a management console called Deployment Server,
• there two roles must be located on two different Splunk servers.

About syslog ingestion, you could use Splunk HF Network inputs, but it isn't a best practice.

The best approach is to configure, on your HFs, one or more rsyslog inputs that receive syslogs and write them in different text files.

Then you can read these text files using one or more file monitoring inputs  and ingest them in Splunk.

You can configure the destination index in these Splunk input files.

To configure rsyslog inputs, you can read at https://www.rsyslog.com/doc/index.html

to configure Splunk file monitring inputs, you can read at https://docs.splunk.com/Documentation/Splunk/9.4.1/Data/MonitorfilesanddirectorieswithSplunkWeb

Ciao.

Giuseppe

Good morning gcusello,

Again, many thanks for your response and suggestion.

Not sure why we have to install rsyslog to receive data locally on the HF and then monitor the ingress into a file just to forward to indexer group. SPLUNK has built in tons of data inputs options which should easily accommodate this. I can do this on Windoze server in about 5 mins using UF. Not sure why it is so difficult to forward data to dedicated index residing on remote indexer directly from HF.

Will keep on digging.

Again, many thanks for your time and suggestions.

Kidn Regards,

Mike.

Hi @BoscoBaracus ,

as I said, you can do it and surely easier than the conf file, but it isn't a best practice, because you must manually configure it, instead using a conf file, managed by the DS, you have a centralized management.

About configuration on Windows UF, you cannot use the GUI because UF hasn't any GUI, you must configure inputs using the conf files or a CLI command.

In addition, using Splunk Network inputs, when you restart Splunk for maintenance or something else, you lose syslogs, instead using rsyslog, that's a standard Linux component (you don't need to install it!), you can receive logs also when Splunk is down.

So I hint, based on Splunk best practices, I hint to use rsyslog, but you're free to use a different solution.

Ciao.

Giuseppe