Getting Data In

Questions about Universal Forwarder.

zacksoft
Contributor

If any one could help me clarifying these ...that would help.

  1. UniversalForwarder can send data at a time to "One" indexer only ?
    A UF cannot be configured to send data to multiple indexes in the same splunk instance.
    Is my understanding correct?

  2. If I'm wrong about question1,
    say I have two splunk instances (two different teams A & B using their own splunk, no relation at all).
    However Team B wants some data from Team A. Team B is not allowed to install their forwarders in Team A's web servers. Team A's webservers have their own UF installed of their own Splunk Instance . Is there a way to send the data using Team A's UF's into Team B's splunk index ?

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

0 Karma

zacksoft
Contributor

Team A doesn't use the data that Team B wants. Team A has set up their UF to get data from webserver that are different than Team B. The data that Team B's splunk instnce want is present in Team A's webservers, and they are thinking if they can get it using Team A's splunk UF that is already installed there.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft,
yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_...
in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data.
Then they have to put in inputs.conf _INDEX_AND_FORWARD_ROUTING= in the stanzas to send to both the indexers.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...