Getting Data In

Some questions on migrating to 4.2 forwarders

remy06
Contributor

Hi,

1) I've read the article on migrating a light forwarder. However I've some heavy forwarders in use and wonder if the same steps to migrate apply?

2) So if I require to use the forwarder to run certain scripts(eg.rlog.sh) as data inputs,and then forwards them to our indexer,in this scenario it can only be done using a heavy forwarder?Or can it be done using the universal forwarder?

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.

2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.

2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you migrate from a heavy forwarder to a universal or light forwarder, you will have to move some configurations. See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma

remy06
Contributor

just to clarify,in other words if I were to migrate from a heavy forwarder(that currently has configurations in props.conf,transforms.conf to filter off certain events before sending to the indexer),I will have to move those configuration settings to the indexer instead?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...