Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does UF supports props.conf

BoldKnowsNothin
Path Finder
‎10-02-2023 07:09 PM

Hello comrades,

After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I upgrade to HF?

Many thanks,

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 09:00 PM

yep, the props.conf on the UF is very very limited.

SEDCMD on props.conf is only for HF or indexer etc.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:40 PM

Yes, HF requires a license. 

 

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

answer from - https://community.splunk.com/t5/Getting-Data-In/Do-we-need-a-license-for-Heavy-forwarder/m-p/210451

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 07:46 PM

Sir,

If I can frankly say all I'm trying to do is here.

Configure the Splunk Add-on for Windows - Splunk Documentation 

unfortunately there isn't any information about forwarders here.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:59 PM

that page gives very good list of Splunk commands... which step you are stuck exactly.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:03 PM

All commands with SEDCMD

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 08:13 PM

SEDCMD is a big topic and your one line reply is not helping me/us. 

maybe you should provide moooore details and ask precise questions. 

 

upvotes/karma points are appreciated by all. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:26 PM

Sorry for trouble,

As I named myself...

1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created

2. I just copied all lines with SEDCMD and cleared # 

and just hoping to config should work.

All this changes made yesterday,  

Tags (1)
0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 08:47 PM

>>> 1. Document mentioned that I have to create props.conf in /opt/splunk/deployment.apps/Splunk-TA-windows/local/   ---> created ..... 

did you create this on the HF, right?


>>> 2. I just copied all lines with SEDCMD and cleared #  and just hoping to config should work.

after updating the props.conf in Hf, did you restart the splunk service on the HF

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 08:49 PM

did you create this on the HF, right?

hehe no, that's why I started asking about HF. So UF cannot take this SEDCMD configs right?

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 09:00 PM

yep, the props.conf on the UF is very very limited.

SEDCMD on props.conf is only for HF or indexer etc.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 09:05 PM

Sorry  one last question. 

Do you suggest us to shift to HF or use indexer?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-02-2023 07:30 PM

Hi @BoldKnowsNothin ... the UF, still supports, only very limited props.conf tasks. 

https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Propsconf

on this document, just do a control-F and search for universal.. you will get around 8 matches... only these settings are supported. 

>>> Also how do I upgrade to HF?

generally you dont want to upgrade a UF to a HF.. you need to install a new/fresh HF separately on a system. 

you downlad splunk enterprise package and install it.. and then enable it as a heavy forwarder. let us know if you have doubts.. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

BoldKnowsNothin
Path Finder
‎10-02-2023 07:32 PM

Hello comrade inventsekar,

Thank you for your help, do I need other kind of licensing to use HV?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...