Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search head configured as a forwarder?

mfrost8
Builder
‎06-29-2010 09:01 PM

I'm trying to setup a Splunk search head. I'm really trying to convert an existing light-weight forwarder server to act as a combination search head and forwarder. That is, I still have local log files that I want to forward to the indexers, and of course, I'd like the local Splunk log files sent to the indexers as well.

The search head is definitely working.

From what I can see, I can't turn on the SplunkForwarder app because it turns off distributed search (needed for the search head).

Is forwarding my data just as simple as creating an outputs.conf that points to the indexers? There's really nothing that would prevent a search head from also forwarding any local data to an indexer, right? I didn't get a clear sense of that from the manuals.

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

mfrost8
Builder
‎07-14-2010 05:04 PM

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

View solution in original post

Reply
Solved! Jump to solution
Solution

mfrost8
Builder
‎07-14-2010 05:04 PM

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎06-29-2010 11:48 PM

Distributed search functionality is turned off in both heavy and light forwarders. For detailed description of what features are available in forwarders, see:

http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma
Reply
Solved! Jump to solution

mfrost8
Builder
‎06-30-2010 03:22 AM

Maybe I didn't really say what I needed properly. I need a search head, but I also have log files on that host that I will want to search. So I need Splunk to both act as a search head (distributed search to 2 indexers) and also to collect events from log files on that server and forward them to those indexers. That is, act as a forwarder for those events.

Perhaps there's confusion about my saying "forwarder" to mean that it's forwarding local events to remote indexers at the same time it's acting as a search head. I think all I need is an outputs.conf.

0 Karma
Reply
Solved! Jump to solution

sophy
Splunk Employee
Splunk Employee
‎06-29-2010 10:53 PM

fyi, you can also refer to this Admin manual topic for more information on how we define the various components of a Splunk deployment: Components of a Splunk deployment

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...