Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I run a universal forwarder on an index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I run a universal forwarder on an indexer that's handling non-IT data?
I need to create a standalone Splunk instance to handle health data (about the health of humans. Non-IT data).
So, I want to forward its /var/log/* data to my main indexer like any other server.
Is there a way to have a universal forwarder and an unrelated indexer living on the same server? What are the caveats in setting that up?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably be fine with one Splunk instance. Licensing-wise, you can segregate it via license pooling, which was built exactly for such a use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I would stand up a second indexer, connect it to my first indexer, and have my health data go to the second indexer and all my IT data go to the first indexer?
But then I'm centrally managing everything?
And either indexer could be used as a search head for all the data? And, when it comes time to separate my search heads and indexers my new search heads would be searching across both indexers?
As you can see, we haven't scaled beyond a single Splunk indexer / search head yet. But, am I getting the general principle right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can have two splunk instances on the same machine (just change the ports). But you can have both data on the same Splunk, two different Indexes (not indexers) and two access profiles for your users: IT person have access to IT Index and doctors have access to health Index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I'll try to install an indexer on the same machine as a configured forwarder and see how it goes.
We wanted to separate them because we're certain we'll never need to correlate their data with ours and we didn't want their work to impact the licensing or performance of our Splunk deployment.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
