Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Set universal forwarder destination after startup

dadi
Path Finder
‎03-21-2012 04:00 AM

Hi,

I install Splunk Universal Forwarder on a Windows server 2008. The Splunk-Server IP is known only after startup. So i want to set the destination only after windows start, and i want to do it from non-administrator account.
I was able to do it from administrator account (run splunk, set forward-server, restart). But i cant do it from non-administrator account.

Any idea how to do it?

thanks,

Doron

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-21-2012 04:43 AM

Could you not use the DNS name? /K

Reply

MarioM
Motivator
‎03-21-2012 04:14 AM

you can create/edit outputs.conf in splunk/etc/system/local,as per example:

[tcpout]

## outputs.conf additions
disabled=false
defaultGroup=indexCluster

## For load balanced Splunk Forwarding (enabled by default)
[tcpout:indexCluster]
server=1.1.1.1:9997,2.2.2.2:9997,3.3.3.3:9997
autoLB = true

## For non load balanced lightweight Splunk Forwarding (disabled by default)
#[tcpout:indexCluster]
#server=1.1.1.1:9997
0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-21-2012 05:12 AM

I assume that you are doing this in some sort of test environment, which is fine - but it is probably NOT a good idea to have your Splunk Indexer(s) on DHCP when moving into production.

0 Karma
Reply

MarioM
Motivator
‎03-21-2012 05:04 AM

unfortunately there is no magic without admin rights but as Kristian.kolb mentionned you should use DNS name which you can update with the proper ip

0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-21-2012 04:59 AM

That would require a restart of the splunkd service.

0 Karma
Reply

dadi
Path Finder
‎03-21-2012 04:50 AM

thanks. i did that, but than i need to restart the service (right?), and this can't be done without administrator privilages.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...