Getting Data In

How to configure a new Linux Splunk indexer/search head to receive data from a Windows universal forwarder?

sumit9999
New Member

Hello ,

I am trying to configure a new Splunk server (search head/indexer, have one). Currently have installed the forwarder with a different server name which is being decommissioned, and now need to forward the logs to a new server. I know one location to change would be ets/system/local/output.conf ... I am still not able to get any logs in the new Splunk console. Where else would we need to update the new Splunk server name?

Few points: this new Splunk server is in Linux, 6.5 E version.
Forwarder: Windows, Splunk universal forwarder 6.3.2

Thanks.

0 Karma

rjthibod
Champion

Do you have the Windows TA installed on the Linux Splunk server? That sets up the knowledge objects, indexes, and search-time components to handle Windows data from the forwarder.

0 Karma

somesoni2
Revered Legend

First thing that you need to do is to setup your new Indexer to receive data. See this http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Enableareceiver

Then, depends upon how you were managing your previous indexers, setup the indexer to process and index data. If you're using deployment servers to deploy apps (for indexes and sourcetype definition), then update deployment server configuration to deploy it to new indexer.

Finaly, depends upon how you manage your forwarder's base configurations like outputs.conf, update the outputs.conf (basically forwarding) to point to new indexer. If you were using an app to push outputs.conf, update that app and deploy again. If you're manually managing the forwarder, do it on the server itselft. See this http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/Configureforwardingwithoutputs.conf

This will not require you to re-install forwarder (not sure if it was required for deployment server change as well).

sumit9999
New Member

Indexer's already setup to receive data from forwarders.

Yes, the forwarders are being managed manually. Outputs.conf are updated to send data to the new server already.There is connectivity as well between the two. But do not get any data from it.

0 Karma

somesoni2
Revered Legend

Could you check if you're able to internal events from UF to your indexers (search: index=_internal host=yourUF)?
If yes, then check if your data inputs are setup correctly (inputs.conf for monitoring actual data, can run this command from UF to see what all files are being monitored: $Splunk_Home/bin/splunk list monitor).

0 Karma

sumit9999
New Member

one thing that worked is : to reinstall the forwarder and configure it with the new deployment server-name. I was wondering if there was a way we could update the new server-name without having to uninstall the forwarder?

0 Karma