Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How set up forwarding on linux-to-linux

hokie1999
Explorer
‎01-24-2013 06:04 AM

No firewall between forwarder A and indexer B. Both are Red Hat 2.6...

/opt/splunkforwarder/etc/system/local/outputs.conf on A (which has universal forwarder):

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 152.190.138.158:9997

[tcpout-server://152.190.138.158:9997] <<< This is my indexer

On the indexer I have "manager -> Forwarding and receiving -> receive data" set to 9997

Are "/var/logs" natively set to be sent to the indexer? Or does this have to be configured?

Tags (1)
0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎01-24-2013 07:32 AM

hokie1999,

One thing to note here. You edited your default inputs.conf. This is generally considered bad practice. If you were to update your universal forwarder to a newer version, the update process would revert your change back to, as the name implies, the default.

Right at the top of the default/inputs.conf (as well as other default/*.conf files) there is a warning stating not to edit the file.

You need to make this change in the local inputs.conf. In /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/, there should be a local directory. In it, there may or may not be a inputs.conf file. If there is, great, make your changes there. If there isn't, just copy the inputs.conf from the default directory into the local directory. Then make your changes to the inputs.conf in the local directory.

Reply

hokie1999
Explorer
‎01-24-2013 06:59 AM

The answer to this question, thanks to Ed Elisio, is to configure

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

on the forwarding device to be something like this if you're interested in /var/log stuff:

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

[monitor:///var/log] <<<<<<<< added this

Restart the universal forwarder, too.

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Top