Getting Data In

Search head configured as a forwarder?

Builder

I'm trying to setup a Splunk search head. I'm really trying to convert an existing light-weight forwarder server to act as a combination search head and forwarder. That is, I still have local log files that I want to forward to the indexers, and of course, I'd like the local Splunk log files sent to the indexers as well.

The search head is definitely working.

From what I can see, I can't turn on the SplunkForwarder app because it turns off distributed search (needed for the search head).

Is forwarding my data just as simple as creating an outputs.conf that points to the indexers? There's really nothing that would prevent a search head from also forwarding any local data to an indexer, right? I didn't get a clear sense of that from the manuals.

Thanks

Tags (2)
1 Solution

Builder

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

View solution in original post

Builder

It appears that what I'm asking is possible.

The server in question is

  • configured as a "search head" and has 2 other servers (indexers) added as search peers for distributed search
  • using the splunk-forwarder.license file as I don't want to index any events locally.
  • configured with an app that's got some local files listed in inputs.conf and passes them to one of the indexers via an appropriate outputs.conf.

It's certainly not a lightweight forwarder because it has to have splunkweb running and because it needs to make use of distributed search, but it is working as I'd hoped.

View solution in original post

Splunk Employee
Splunk Employee

Distributed search functionality is turned off in both heavy and light forwarders. For detailed description of what features are available in forwarders, see:

http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma

Builder

Maybe I didn't really say what I needed properly. I need a search head, but I also have log files on that host that I will want to search. So I need Splunk to both act as a search head (distributed search to 2 indexers) and also to collect events from log files on that server and forward them to those indexers. That is, act as a forwarder for those events.

Perhaps there's confusion about my saying "forwarder" to mean that it's forwarding local events to remote indexers at the same time it's acting as a search head. I think all I need is an outputs.conf.

0 Karma

Splunk Employee
Splunk Employee

fyi, you can also refer to this Admin manual topic for more information on how we define the various components of a Splunk deployment: Components of a Splunk deployment