Hi,
1) I've read the article on migrating a light forwarder. However I've some heavy forwarders in use and wonder if the same steps to migrate apply?
2) So if I require to use the forwarder to run certain scripts(eg.rlog.sh) as data inputs,and then forwards them to our indexer,in this scenario it can only be done using a heavy forwarder?Or can it be done using the universal forwarder?
1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.
2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.
1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.
2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.
If you migrate from a heavy forwarder to a universal or light forwarder, you will have to move some configurations. See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F
just to clarify,in other words if I were to migrate from a heavy forwarder(that currently has configurations in props.conf,transforms.conf to filter off certain events before sending to the indexer),I will have to move those configuration settings to the indexer instead?