- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Forward data from splunk to splunk instance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a network where I have a splunk instance that is off to the side on my network, as in:
Core Splunk Instance (S1) -> Remote Site Splunk (S2) -> Sub Remote Site (S3) -> Clients (C1) Universal Forwarders
What I would like to do is have all the clients on the far end (C1) running splunks universal forwarder to send their data to the local splunk server (S3), and then have that server pass all the data to a in-between splunk server (S2), which will do nothing more than forward it to the core splunk instance (S1), but I am unsure how I would configure this, or what it would be referred to in the splunk documentation world.
The reason for doing this, is that the splunk site (S3) does not have a way to communicate with the Core Splunk Site (S1) so I have to forward it through a middle man of some type, and given I have a Splunk server in the middle, I have been hinted that, this is possible.
I do not need (S2) or (S3) to be able to keep the files, just simply forward them down stream to the Core Splunk instance.
My questions are:
- What type of install does Splunk Servers (S2) & (S3) have to be to be able to do this? Universal or Full or Either?
- What would the configs look like on (S3) & (S2) to make this happen.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On (S3) Farthest from the Core:
Create: inputs.conf
[splunktcp://9997]
disabled = 0
compressed = true
Create: outputs.conf
[tcpout:splunkindexer_9997]
server={IP of S2):9997
heartbeatFrequency = 30
compressed = true
On (S2):
Create: inputs.conf
[splunktcp://9997]
disabled = 0
compressed = true
Create: outputs.conf
[tcpout]
defaultGroup=splunkindexer_9997
[tcpout:splunkindexer_9997]
server={cluster IP1}:9997, {cluster IP2}:9997, {cluster IP3}:9997, {cluster IP4}:9997
heartbeatFrequency = 30
autoLBFrequency=30
compressed = true
useACK = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On (S3) Farthest from the Core:
Create: inputs.conf
[splunktcp://9997]
disabled = 0
compressed = true
Create: outputs.conf
[tcpout:splunkindexer_9997]
server={IP of S2):9997
heartbeatFrequency = 30
compressed = true
On (S2):
Create: inputs.conf
[splunktcp://9997]
disabled = 0
compressed = true
Create: outputs.conf
[tcpout]
defaultGroup=splunkindexer_9997
[tcpout:splunkindexer_9997]
server={cluster IP1}:9997, {cluster IP2}:9997, {cluster IP3}:9997, {cluster IP4}:9997
heartbeatFrequency = 30
autoLBFrequency=30
compressed = true
useACK = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunks in the middle for forwarding without storing are called intermediate forwarders. Usually a Universal Forwarder install is enough, and it does not consume license volume because it doesn't do any indexing. The basic config looks like this:
C1: Enable outputs.conf to send to S3
S3: Enable receiving in inputs.conf, set outputs.conf to send to S2
S2: Enable receiving in inputs.conf, set outputs.conf to send to S1
S1: Enable receiving in inputs.conf
S1 is a regular full-fat Splunk instance that does the parsing and indexing, the others only forward data.
Here's an entry point into the docs on intermediate forwarders: http://docs.splunk.com/Documentation/Splunk/6.0.3/Forwarding/Forwarderdeploymenttopologies#Intermedi...
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
