Hello community,
we would like to forward a subset of syslog data to a 3rd party syslog host.
So, no problem, this is possible with a forwarder or a heavy forwarder (http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Forwarddatatothird-partysystemsd).
But, I want to do this on our (single) indexer.
What happens if I add a outputs.conf, and so change the indexer to a heavy forwarder?
Is still everything (search, dashboards, alerts, ...) working as it should, plus the posibilities of a heavy forwarder?
Thanks for your help.
Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:
Indexer/Search Head/Heavy Forwarder/Deployment server/License Master are the roles that you assign to your Splunk Enterprise instance. One instance can perform multiple role (may be all of the roles if configured).
Hi,
I would not do it this way. I'd leave the job to the universal forwarder.
If you do want to have your indexer send the events to 3rd party, you will need this in your outputs.conf
[indexAndForward]
index=true
selectiveIndexing=true
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:
# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997
# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
# index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.
[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local
[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers
Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here: