- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Different management port for forwarders and i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we use different management ports on Universal forwarders and Indexer cluster?
Since we will also be using indexer discovery on the forwarders, is it possible that forwarders can continue using the default management port 8089 while the indexers can be setup to use 8090?
If yes, what should be the management uri in the forwarder's outputs.conf? Should the port be 8089 (mgmt port of the forwarder) or 8090 (mgmt port of the cluster master) ? I think it's the latter but I want to get that confirmed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tl;dr YES
Any Splunk instance can use any management port that you like - they don't need to be all the same. However, if you want to connect to the cluster master node or the deployment server, etc., you will need to know what management port to use for that instance.
DO NOT USE THE MGMT PORT FOR FORWARDING. Indexers must be set up with a receiving port. The Splunk-to-Splunk forwarding of data uses that port, not the mgmt port.
In outputs.conf, you can give a fixed list of servers that includes the receiving port, eg.
server=indexer1.myco.com:9997,10.2.15.201:9998
OR you can use indexer discovery if you are using indexer clustering. When the forwarder talks to the cluster master node, it is not sending data. Instead it is querying the master node for the server list. So the forwarder must contact the master node on its management port. For example, if the cluster master node is 10.2.15.200 and its mgmt port is 8089, then outputs.conf on the forwarder should contain
master_uri = https://10.2.15.200:8089
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forwarders management uri will remain 8089 - it has to do with deployment server and not with the cluster master (indexers) which you name for indexers discovery
the port 8090 will be open between your cluster master and indexers
if i understand correctly the requirements
check this stanza in outputs.conf:
indexerDiscovery = <name>
* Instructs the forwarder to fetch the list of indexers from the master node
specified in the corresponding [indexer_discovery:<name>] stanza.
it does not mention ports, only the name
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tl;dr YES
Any Splunk instance can use any management port that you like - they don't need to be all the same. However, if you want to connect to the cluster master node or the deployment server, etc., you will need to know what management port to use for that instance.
DO NOT USE THE MGMT PORT FOR FORWARDING. Indexers must be set up with a receiving port. The Splunk-to-Splunk forwarding of data uses that port, not the mgmt port.
In outputs.conf, you can give a fixed list of servers that includes the receiving port, eg.
server=indexer1.myco.com:9997,10.2.15.201:9998
OR you can use indexer discovery if you are using indexer clustering. When the forwarder talks to the cluster master node, it is not sending data. Instead it is querying the master node for the server list. So the forwarder must contact the master node on its management port. For example, if the cluster master node is 10.2.15.200 and its mgmt port is 8089, then outputs.conf on the forwarder should contain
master_uri = https://10.2.15.200:8089
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a related note, if we disable the management port on a UF, can it still connect to the cluster master for indexer discovery? Also, can it still connect to the deployment server to fetch config?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
