Getting Data In

Search head configured as a forwarder?

mfrost8
Builder

I'm trying to setup a Splunk search head. I'm really trying to convert an existing light-weight forwarder server to act as a combination search head and forwarder. That is, I still have local log files that I want to forward to the indexers, and of course, I'd like the local Splunk log files sent to the indexers as well.

The search head is definitely working.

From what I can see, I can't turn on the SplunkForwarder app because it turns off distributed search (needed for the search head).

Is forwarding my data just as simple as creating an outputs.conf that points to the indexers? There's really nothing that would prevent a search head from also forwarding any local data to an indexer, right? I didn't get a clear sense of that from the manuals.

Thanks

Tags (2)
1 Solution

mfrost8
Builder

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

View solution in original post

mfrost8
Builder

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

Steve_G_
Splunk Employee
Splunk Employee

Distributed search functionality is turned off in both heavy and light forwarders. For detailed description of what features are available in forwarders, see:

http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma

mfrost8
Builder

Maybe I didn't really say what I needed properly. I need a search head, but I also have log files on that host that I will want to search. So I need Splunk to both act as a search head (distributed search to 2 indexers) and also to collect events from log files on that server and forward them to those indexers. That is, act as a forwarder for those events.

Perhaps there's confusion about my saying "forwarder" to mean that it's forwarding local events to remote indexers at the same time it's acting as a search head. I think all I need is an outputs.conf.

0 Karma

sophy
Splunk Employee
Splunk Employee

fyi, you can also refer to this Admin manual topic for more information on how we define the various components of a Splunk deployment: Components of a Splunk deployment

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...