Getting Data In

Set universal forwarder destination after startup

dadi
Path Finder

Hi,

I install Splunk Universal Forwarder on a Windows server 2008. The Splunk-Server IP is known only after startup. So i want to set the destination only after windows start, and i want to do it from non-administrator account.
I was able to do it from administrator account (run splunk, set forward-server, restart). But i cant do it from non-administrator account.

Any idea how to do it?

thanks,

Doron

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Could you not use the DNS name? /K

MarioM
Motivator

you can create/edit outputs.conf in splunk/etc/system/local,as per example:

[tcpout]

## outputs.conf additions
disabled=false
defaultGroup=indexCluster

## For load balanced Splunk Forwarding (enabled by default)
[tcpout:indexCluster]
server=1.1.1.1:9997,2.2.2.2:9997,3.3.3.3:9997
autoLB = true

## For non load balanced lightweight Splunk Forwarding (disabled by default)
#[tcpout:indexCluster]
#server=1.1.1.1:9997
0 Karma

kristian_kolb
Ultra Champion

I assume that you are doing this in some sort of test environment, which is fine - but it is probably NOT a good idea to have your Splunk Indexer(s) on DHCP when moving into production.

0 Karma

MarioM
Motivator

unfortunately there is no magic without admin rights but as Kristian.kolb mentionned you should use DNS name which you can update with the proper ip

0 Karma

kristian_kolb
Ultra Champion

That would require a restart of the splunkd service.

0 Karma

dadi
Path Finder

thanks. i did that, but than i need to restart the service (right?), and this can't be done without administrator privilages.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...