Getting Data In

Questions about Universal Forwarder.

zacksoft
Contributor

If any one could help me clarifying these ...that would help.

  1. UniversalForwarder can send data at a time to "One" indexer only ?
    A UF cannot be configured to send data to multiple indexes in the same splunk instance.
    Is my understanding correct?

  2. If I'm wrong about question1,
    say I have two splunk instances (two different teams A & B using their own splunk, no relation at all).
    However Team B wants some data from Team A. Team B is not allowed to install their forwarders in Team A's web servers. Team A's webservers have their own UF installed of their own Splunk Instance . Is there a way to send the data using Team A's UF's into Team B's splunk index ?

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

0 Karma

zacksoft
Contributor

Team A doesn't use the data that Team B wants. Team A has set up their UF to get data from webserver that are different than Team B. The data that Team B's splunk instnce want is present in Team A's webservers, and they are thinking if they can get it using Team A's splunk UF that is already installed there.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_...
in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data.
Then they have to put in inputs.conf _INDEX_AND_FORWARD_ROUTING= in the stanzas to send to both the indexers.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...