Getting Data In

Indexer and Heavy Forwarder in once?

wplank
Path Finder

Hello community,

we would like to forward a subset of syslog data to a 3rd party syslog host.
So, no problem, this is possible with a forwarder or a heavy forwarder (http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Forwarddatatothird-partysystemsd).

But, I want to do this on our (single) indexer.
What happens if I add a outputs.conf, and so change the indexer to a heavy forwarder?

Is still everything (search, dashboards, alerts, ...) working as it should, plus the posibilities of a heavy forwarder?

Thanks for your help.

0 Karma
1 Solution

Yasaswy
Contributor

Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Indexer/Search Head/Heavy Forwarder/Deployment server/License Master are the roles that you assign to your Splunk Enterprise instance. One instance can perform multiple role (may be all of the roles if configured).

0 Karma

chaker
Contributor

Hi,

I would not do it this way. I'd leave the job to the universal forwarder.

If you do want to have your indexer send the events to 3rd party, you will need this in your outputs.conf
[indexAndForward]
index=true
selectiveIndexing=true

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:

# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
#    index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers
0 Karma

Yasaswy
Contributor

Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...