Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does a forwarder need to connect through an indexer?

smellpit
Explorer
‎12-24-2016 03:26 PM

I'm a brand new Splunk user. I've seen you can have just an Enterprise install, no forwarders, monitoring local data only (off-topic to expand on the "only"). Since the single install handles search head & indexer duties (right?), I've been trying to install a forwarder on the same Enterprise box but can't get it to connect. I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

If a forwarder does need an indexer, could the indexer & forwarder be on the same machine? I'd tend to think yes but then again...

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎12-25-2016 08:12 AM

-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

For that you better start with I can't find my data!

If we look at -

alt text

We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.

View solution in original post

Preview file
174 KB
Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎01-03-2017 02:59 PM

You can also see the Splunk Universal Forwarder "Forwarder Manual" and the "How to forward data to Splunk Enterprise" section at http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/HowtoforwarddatatoSplunkEnterprise. The steps are listed 1-7 at the top of the topic, and you can scroll down for individual configuration steps/info.

Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎12-25-2016 08:12 AM

-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

For that you better start with I can't find my data!

If we look at -

alt text

We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.

Preview file
174 KB
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-25-2016 03:20 AM

The Splunk enterprise installation can also be a heavy forwarder.

A Splunk enterprise instance is able to read log files and run scripts just like a universal forwarder, so in this case your installation will be the indexer & search head (note these are just descriptions of what role the installation is playing, it is the same enterprise installation of Splunk), the indexer is able to ingest logs from the local machine or via shares/scripts.

In the scenario you are describing it would not make sense to install a universal forwarder on the same machine, you would want to install the universal forwarder on a remote machine you need to obtain logs from and then you send the logs to your indexer.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...