Getting Data In

Is there any way to guarantee my Forwarder collecting all data?

CJOS
Engager

Hi all.
We are using Splunk Enterprise version of 6.1.3.
Is there any way to guarantee my Forwarder collecting all data?
Please recommend any tools or ways. Thanks.

Patient
Path Finder

Hello CJOS,

I don't know if I have understood your question very well. For more suggestion about my answer please let me now.

A Splunk Enterprise instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk Enterprise indexer, but can also be another forwarder, as described:

Set up receiving

Before enabling a Splunk Enterprise instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance through Splunk Web, the CLI, or the inputs.conf configuration file. Set up receiving with Splunk Web Use Splunk Web to set up a receiver:

  1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.
  2. Click the Settings link at the top of the page.
  3. Select Forwarding and receivingin the Data area.
  4. Click Add new in the Receive data section.
  5. Specify which TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunk web or splunkd.
  6. Click Save.You must restart the instance to complete the process.

For more information about collecting the data see Splunk-6.1.1-Forwarding manual:
http://docs.splunk.com/Documentation/Splunk
Regard,
Patient

0 Karma

MuS
SplunkTrust
SplunkTrust

Hmm, CJOS wants to know how he can be sure that a forwarder configured to monitor the file foo has read everything in the file and sent it to the indexer.....the indexer itself can do event hashing to handle this. But how can we be sure a forwarder did read everything and did not discard any events for what ever reason?

0 Karma

gyslainlatsa
Motivator

hi CJOS,
we must try to download splunkforwarder-6.2.1-196940-x64-release or splunkforwarder-6.2.1-196940-x86-release software to the following address: andhttp://www.splunk.com/download/universalforwarder install it on your machine and then follow the linkhttp://www.macintom.com/wp/2012/05/30/splunk-partie-1-presentation-et-installation/ for setting.
please forgive my english

good luck for the future.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!