Getting Data In

Forward data from splunk to splunk instance

jmsiegma
Path Finder

I have a network where I have a splunk instance that is off to the side on my network, as in:

Core Splunk Instance (S1) -> Remote Site Splunk (S2) -> Sub Remote Site (S3) -> Clients (C1) Universal Forwarders

What I would like to do is have all the clients on the far end (C1) running splunks universal forwarder to send their data to the local splunk server (S3), and then have that server pass all the data to a in-between splunk server (S2), which will do nothing more than forward it to the core splunk instance (S1), but I am unsure how I would configure this, or what it would be referred to in the splunk documentation world.

The reason for doing this, is that the splunk site (S3) does not have a way to communicate with the Core Splunk Site (S1) so I have to forward it through a middle man of some type, and given I have a Splunk server in the middle, I have been hinted that, this is possible.

I do not need (S2) or (S3) to be able to keep the files, just simply forward them down stream to the Core Splunk instance.

My questions are:

  • What type of install does Splunk Servers (S2) & (S3) have to be to be able to do this? Universal or Full or Either?
  • What would the configs look like on (S3) & (S2) to make this happen.

Thank you

Tags (2)
1 Solution

jmsiegma
Path Finder

On (S3) Farthest from the Core:

Create: inputs.conf

[splunktcp://9997]
disabled = 0 
compressed = true

Create: outputs.conf

[tcpout:splunkindexer_9997]
server={IP of S2):9997
heartbeatFrequency = 30
compressed = true

On (S2):
Create: inputs.conf

[splunktcp://9997]
disabled = 0
compressed = true

Create: outputs.conf

[tcpout]
defaultGroup=splunkindexer_9997

[tcpout:splunkindexer_9997]
server={cluster IP1}:9997, {cluster IP2}:9997, {cluster IP3}:9997, {cluster IP4}:9997
heartbeatFrequency = 30
autoLBFrequency=30
compressed = true
useACK = true

View solution in original post

jmsiegma
Path Finder

On (S3) Farthest from the Core:

Create: inputs.conf

[splunktcp://9997]
disabled = 0 
compressed = true

Create: outputs.conf

[tcpout:splunkindexer_9997]
server={IP of S2):9997
heartbeatFrequency = 30
compressed = true

On (S2):
Create: inputs.conf

[splunktcp://9997]
disabled = 0
compressed = true

Create: outputs.conf

[tcpout]
defaultGroup=splunkindexer_9997

[tcpout:splunkindexer_9997]
server={cluster IP1}:9997, {cluster IP2}:9997, {cluster IP3}:9997, {cluster IP4}:9997
heartbeatFrequency = 30
autoLBFrequency=30
compressed = true
useACK = true

martin_mueller
SplunkTrust
SplunkTrust

The Splunks in the middle for forwarding without storing are called intermediate forwarders. Usually a Universal Forwarder install is enough, and it does not consume license volume because it doesn't do any indexing. The basic config looks like this:

C1: Enable outputs.conf to send to S3
S3: Enable receiving in inputs.conf, set outputs.conf to send to S2
S2: Enable receiving in inputs.conf, set outputs.conf to send to S1
S1: Enable receiving in inputs.conf

S1 is a regular full-fat Splunk instance that does the parsing and indexing, the others only forward data.

Here's an entry point into the docs on intermediate forwarders: http://docs.splunk.com/Documentation/Splunk/6.0.3/Forwarding/Forwarderdeploymenttopologies#Intermedi...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...