Solved: Re: Forwarding Data From on Universal Forwarder to...

ssankeneni · ‎09-27-2012

Is it possible to forward the data from one Universal Forwarder to another Universal Forwarder ? If so can you please direct me to the appropriate documentation.

ayme · ‎09-28-2012

Yes. Simply configure a tcpout stanza in the outputs.conf of the first Forwarder to forward to Intermediary Forwarder:

[tcpout]
defaultGroup=intermediaryForwarder

[intermediaryForwarder]
server=myintermediaryforwarder.company.com:9997

Then, configure a splunktcp stanza in the inputs.conf of the Intermediary Forwarder:

[splunktcp://:9997]

...as well as a another tcpout in the Intermediary Forwarder to forward to Indexers:

[tcpout]
defaultGroup=indexers

[indexers]
server=myindexer:9997

View solution in original post

ayme · ‎09-28-2012

Yes. Simply configure a tcpout stanza in the outputs.conf of the first Forwarder to forward to Intermediary Forwarder:

[tcpout]
defaultGroup=intermediaryForwarder

[intermediaryForwarder]
server=myintermediaryforwarder.company.com:9997

Then, configure a splunktcp stanza in the inputs.conf of the Intermediary Forwarder:

[splunktcp://:9997]

...as well as a another tcpout in the Intermediary Forwarder to forward to Indexers:

[tcpout]
defaultGroup=indexers

[indexers]
server=myindexer:9997

ssankeneni · ‎10-01-2012

Thank you very much

Forwarding Data From on Universal Forwarder to Another Universal Forwarder

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!