Getting Data In

Intermediate forwarder not sending data

akostiner123194
New Member

I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk.

Intermediate UF IP 10.0.1.18
Splunk IP 10.0.1.65
Here are the conf file info:

First UF:
inputs.conf
[default]
host = SP-DB

outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.18:9997
[tcpout-server:// 10.0.1.18:9997]

Intermediate UF:
inputs.conf
[default]
host = SPLUNK2

[splunktcp://:9997]
compressed = true
disabled = 0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.65:9001
[tcpout-server://10.0.1.65:9001]

0 Karma

woodcock
Esteemed Legend

The UF cannot receive events; it can only send them. But you can do UF -> HF -> Indexers. So first reinstall your IUF as IHF, using a full instance of Splunk. Then this should work:

First UF:

inputs.conf

# Whatever you are sending here, probably "[monitor:// ... ]" stanza

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IHF.IP.Address.Here:9997

Intermediate HF:

inputs.conf

[splunktcp://:9997]
disabled = 0

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = Indexer.IP.Address.Here:9997

Indexer:

inputs.conf

[splunktcp://:9997]
disabled = 0
0 Karma

ivanreis
Builder

The UF clients is not capable to route data between UF clients. If you need to use a splunk tier to forward data, you should use the Heavy forwarder tier

https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Forwarderdeploymenttopologies#Intermed...

UF clients are capable to send data direct to indexer/heavy forwarder tier and does have the functionality to forward data. I get a part of text from this document -> https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Abouttheuniversalforwarder

"This manual discusses the universal forwarder and how to plan, download, install, and configure it. There are two other types of forwarders. To learn about heavy and light forwarders and how they forward data, see About forwarding and receiving data in the Forwarding Data Manual.

To achieve higher performance and a lighter resource footprint, the universal forwarder has a subset of the functionality provided by a full Splunk platform deployment, specifically:

Cannot search or index data.
Cannot send alerts.
Does not parse incoming data, except in certain cases, such as structured data or some forms of Windows data.
Cannot send data to syslog servers as it has no syslog pipeline.
Does not include a version of Python."

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...