Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How set up forwarding on linux-to-linux

hokie1999
Explorer
‎01-24-2013 06:04 AM

No firewall between forwarder A and indexer B. Both are Red Hat 2.6...

/opt/splunkforwarder/etc/system/local/outputs.conf on A (which has universal forwarder):

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 152.190.138.158:9997

[tcpout-server://152.190.138.158:9997] <<< This is my indexer

On the indexer I have "manager -> Forwarding and receiving -> receive data" set to 9997

Are "/var/logs" natively set to be sent to the indexer? Or does this have to be configured?

Tags (1)
0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎01-24-2013 07:32 AM

hokie1999,

One thing to note here. You edited your default inputs.conf. This is generally considered bad practice. If you were to update your universal forwarder to a newer version, the update process would revert your change back to, as the name implies, the default.

Right at the top of the default/inputs.conf (as well as other default/*.conf files) there is a warning stating not to edit the file.

You need to make this change in the local inputs.conf. In /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/, there should be a local directory. In it, there may or may not be a inputs.conf file. If there is, great, make your changes there. If there isn't, just copy the inputs.conf from the default directory into the local directory. Then make your changes to the inputs.conf in the local directory.

Reply

hokie1999
Explorer
‎01-24-2013 06:59 AM

The answer to this question, thanks to Ed Elisio, is to configure

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

on the forwarding device to be something like this if you're interested in /var/log stuff:

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

[monitor:///var/log] <<<<<<<< added this

Restart the universal forwarder, too.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...