Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Questions about Universal Forwarder.

zacksoft
Contributor
‎04-09-2020 03:49 AM

If any one could help me clarifying these ...that would help.

  1. UniversalForwarder can send data at a time to "One" indexer only ?
    A UF cannot be configured to send data to multiple indexes in the same splunk instance.
    Is my understanding correct?

  2. If I'm wrong about question1,
    say I have two splunk instances (two different teams A & B using their own splunk, no relation at all).
    However Team B wants some data from Team A. Team B is not allowed to install their forwarders in Team A's web servers. Team A's webservers have their own UF installed of their own Splunk Instance . Is there a way to send the data using Team A's UF's into Team B's splunk index ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-09-2020 04:37 AM

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-09-2020 04:37 AM

Hi @zacksoft,
Universal Forwarder can send logs to many Indexers in two configurations:

  • in auto load balancing, it distributes logs between the configured Indexers using a round robin algorithm to distribute logs and managing the failove of one or more indexers;
  • can send the same log to two or more indexers but in this case license consuption is duble or more.

So you can follow two approaches:

  • you can configure your UFs to send a part of data to both the Indexers (in this way you have a double consuption of license),
  • You can configure a Search Head for each Team to see both the indexers data.

You can find infos about this issue at https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf .

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎04-09-2020 04:44 AM

Team A doesn't use the data that Team B wants. Team A has set up their UF to get data from webserver that are different than Team B. The data that Team B's splunk instnce want is present in Team A's webservers, and they are thinking if they can get it using Team A's splunk UF that is already installed there.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-09-2020 04:55 AM

Hi @zacksoft,
yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_...
in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data.
Then they have to put in inputs.conf _INDEX_AND_FORWARD_ROUTING= in the stanzas to send to both the indexers.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...