Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does UF supports props.conf

BoldKnowsNothin
Path Finder
‎10-02-2023 07:09 PM

Hello comrades,

After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I upgrade to HF?

Many thanks,

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 09:00 PM

yep, the props.conf on the UF is very very limited.

SEDCMD on props.conf is only for HF or indexer etc.. 

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:40 PM

Yes, HF requires a license. 

 

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

answer from - https://community.splunk.com/t5/Getting-Data-In/Do-we-need-a-license-for-Heavy-forwarder/m-p/210451

 

0 Karma
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 07:46 PM

Sir,

If I can frankly say all I'm trying to do is here.

Configure the Splunk Add-on for Windows - Splunk Documentation 

unfortunately there isn't any information about forwarders here.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:59 PM

that page gives very good list of Splunk commands... which step you are stuck exactly.. 

0 Karma
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:03 PM

All commands with SEDCMD

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 08:13 PM

SEDCMD is a big topic and your one line reply is not helping me/us. 

maybe you should provide moooore details and ask precise questions. 

 

upvotes/karma points are appreciated by all. thanks. 

Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:26 PM

Sorry for trouble,

As I named myself...

1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created

2. I just copied all lines with SEDCMD and cleared # 

and just hoping to config should work.

All this changes made yesterday,  

Tags (1)
0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 08:47 PM

>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created ..... 

did you create this on the HF, right?


>>> 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work.

after updating the props.conf in Hf, did you restart the splunk service on the HF

Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:49 PM

did you create this on the HF, right?

hehe no, that's why I started asking about HF. So UF cannot take this SEDCMD configs right?

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 09:00 PM

yep, the props.conf on the UF is very very limited.

SEDCMD on props.conf is only for HF or indexer etc.. 

Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 09:05 PM

Sorry  one last question. 

Do you suggest us to shift to HF or use indexer?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:30 PM

Hi @BoldKnowsNothin ... the UF, still supports, only very limited props.conf tasks. 

https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Propsconf

on this document, just do a control-F and search for universal.. you will get around 8 matches... only these settings are supported. 

>>> Also how do I upgrade to HF?

generally you dont want to upgrade a UF to a HF.. you need to install a new/fresh HF separately on a system. 

you downlad splunk enterprise package and install it.. and then enable it as a heavy forwarder. let us know if you have doubts.. thanks. 

Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 07:32 PM

Hello comrade inventsekar,

Thank you for your help, do I need other kind of licensing to use HV?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...