Hello ,
I am trying to configure a new Splunk server (search head/indexer, have one). Currently have installed the forwarder with a different server name which is being decommissioned, and now need to forward the logs to a new server. I know one location to change would be ets/system/local/output.conf ... I am still not able to get any logs in the new Splunk console. Where else would we need to update the new Splunk server name?
Few points: this new Splunk server is in Linux, 6.5 E version.
Forwarder: Windows, Splunk universal forwarder 6.3.2
Thanks.
Do you have the Windows TA installed on the Linux Splunk server? That sets up the knowledge objects, indexes, and search-time components to handle Windows data from the forwarder.
First thing that you need to do is to setup your new Indexer to receive data. See this http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Enableareceiver
Then, depends upon how you were managing your previous indexers, setup the indexer to process and index data. If you're using deployment servers to deploy apps (for indexes and sourcetype definition), then update deployment server configuration to deploy it to new indexer.
Finaly, depends upon how you manage your forwarder's base configurations like outputs.conf, update the outputs.conf (basically forwarding) to point to new indexer. If you were using an app to push outputs.conf, update that app and deploy again. If you're manually managing the forwarder, do it on the server itselft. See this http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/Configureforwardingwithoutputs.conf
This will not require you to re-install forwarder (not sure if it was required for deployment server change as well).
Indexer's already setup to receive data from forwarders.
Yes, the forwarders are being managed manually. Outputs.conf are updated to send data to the new server already.There is connectivity as well between the two. But do not get any data from it.
Could you check if you're able to internal events from UF to your indexers (search: index=_internal host=yourUF
)?
If yes, then check if your data inputs are setup correctly (inputs.conf for monitoring actual data, can run this command from UF to see what all files are being monitored: $Splunk_Home/bin/splunk list monitor
).
one thing that worked is : to reinstall the forwarder and configure it with the new deployment server-name. I was wondering if there was a way we could update the new server-name without having to uninstall the forwarder?