I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk.
Intermediate UF IP 10.0.1.18
Splunk IP 10.0.1.65
Here are the conf file info:
First UF:
inputs.conf
[default]
host = SP-DB
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.18:9997
[tcpout-server:// 10.0.1.18:9997]
Intermediate UF:
inputs.conf
[default]
host = SPLUNK2
[splunktcp://:9997]
compressed = true
disabled = 0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.0.1.65:9001
[tcpout-server://10.0.1.65:9001]
The UF
cannot receive events; it can only send them. But you can do UF
-> HF
-> Indexers
. So first reinstall your IUF
as IHF
, using a full instance of Splunk. Then this should work:
inputs.conf
# Whatever you are sending here, probably "[monitor:// ... ]" stanza
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = IHF.IP.Address.Here:9997
inputs.conf
[splunktcp://:9997]
disabled = 0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = Indexer.IP.Address.Here:9997
inputs.conf
[splunktcp://:9997]
disabled = 0
The UF clients is not capable to route data between UF clients. If you need to use a splunk tier to forward data, you should use the Heavy forwarder tier
UF clients are capable to send data direct to indexer/heavy forwarder tier and does have the functionality to forward data. I get a part of text from this document -> https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Abouttheuniversalforwarder
"This manual discusses the universal forwarder and how to plan, download, install, and configure it. There are two other types of forwarders. To learn about heavy and light forwarders and how they forward data, see About forwarding and receiving data in the Forwarding Data Manual.
To achieve higher performance and a lighter resource footprint, the universal forwarder has a subset of the functionality provided by a full Splunk platform deployment, specifically:
Cannot search or index data.
Cannot send alerts.
Does not parse incoming data, except in certain cases, such as structured data or some forms of Windows data.
Cannot send data to syslog servers as it has no syslog pipeline.
Does not include a version of Python."