Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How set up forwarding on linux-to-linux

hokie1999
Explorer
‎01-24-2013 06:04 AM

No firewall between forwarder A and indexer B. Both are Red Hat 2.6...

/opt/splunkforwarder/etc/system/local/outputs.conf on A (which has universal forwarder):

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 152.190.138.158:9997

[tcpout-server://152.190.138.158:9997] <<< This is my indexer

On the indexer I have "manager -> Forwarding and receiving -> receive data" set to 9997

Are "/var/logs" natively set to be sent to the indexer? Or does this have to be configured?

Tags (1)
0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎01-24-2013 07:32 AM

hokie1999,

One thing to note here. You edited your default inputs.conf. This is generally considered bad practice. If you were to update your universal forwarder to a newer version, the update process would revert your change back to, as the name implies, the default.

Right at the top of the default/inputs.conf (as well as other default/*.conf files) there is a warning stating not to edit the file.

You need to make this change in the local inputs.conf. In /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/, there should be a local directory. In it, there may or may not be a inputs.conf file. If there is, great, make your changes there. If there isn't, just copy the inputs.conf from the default directory into the local directory. Then make your changes to the inputs.conf in the local directory.

Reply

hokie1999
Explorer
‎01-24-2013 06:59 AM

The answer to this question, thanks to Ed Elisio, is to configure

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

on the forwarding device to be something like this if you're interested in /var/log stuff:

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

[monitor:///var/log] <<<<<<<< added this

Restart the universal forwarder, too.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...