Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Indexer and Heavy Forwarder in once?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello community,
we would like to forward a subset of syslog data to a 3rd party syslog host.
So, no problem, this is possible with a forwarder or a heavy forwarder (http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Forwarddatatothird-partysystemsd).
But, I want to do this on our (single) indexer.
What happens if I add a outputs.conf, and so change the indexer to a heavy forwarder?
Is still everything (search, dashboards, alerts, ...) working as it should, plus the posibilities of a heavy forwarder?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexer/Search Head/Heavy Forwarder/Deployment server/License Master are the roles that you assign to your Splunk Enterprise instance. One instance can perform multiple role (may be all of the roles if configured).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would not do it this way. I'd leave the job to the universal forwarder.
If you do want to have your indexer send the events to 3rd party, you will need this in your outputs.conf
[indexAndForward]
index=true
selectiveIndexing=true
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:
# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997
# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
# index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.
[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local
[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, A heavy forwarder is a full splunk install. You can use a single system for all splunk functionalities as long as it fits your requirements. A single splunk instance can be configured to do both forwarding and indexing without impacting your current setup (assuming configurations are done correctly). Check out the documentation here:
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
