Getting Data In

Some questions on migrating to 4.2 forwarders

remy06
Contributor

Hi,

1) I've read the article on migrating a light forwarder. However I've some heavy forwarders in use and wonder if the same steps to migrate apply?

2) So if I require to use the forwarder to run certain scripts(eg.rlog.sh) as data inputs,and then forwards them to our indexer,in this scenario it can only be done using a heavy forwarder?Or can it be done using the universal forwarder?

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.

2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

1) Yes, the same steps apply. However, if you're going from a heavy forwarder to a universal, this isn't just upgrading the version. You are also basically changing the system architecture, so you configurations will have to be moved or adjusted to reflect that. In particular, any parsing-stage configurations must be on the indexer if they are initially used on a heavy forwarder that is being made into a universal or light forwarder. Changing a heavy forwarder to a new heavy one should be basically the same as going from light to light.

2) That will work fine. The UF does not have it's own python installation, so a script that expects that will have to be modified to use a local system python, but other types of scripts should work as before.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you migrate from a heavy forwarder to a universal or light forwarder, you will have to move some configurations. See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma

remy06
Contributor

just to clarify,in other words if I were to migrate from a heavy forwarder(that currently has configurations in props.conf,transforms.conf to filter off certain events before sending to the indexer),I will have to move those configuration settings to the indexer instead?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...