Hi All,
The environment has 1 Search head, 2 Indexers, 1 Cluster Master, and 1 Deployment server.
All servers are windows servers. Only the streamfwd machine is a Linux machine.
Netflow data is being received on port 9999.
We have also configured the inputs.conf and streamfwd.conf based on instructions on Splunk docs.
But we do not see any data ingestion.
We confirmed data being received on port 9999 by tcpdump commands.
Thank you.
Did you configure the Streams after configuring the streamfwd? In the Splunk Stream App under "Configuration-->Configure Streams" you define what you want streamfwd to collect. There you create/enable your Streams to collect that define which fields you'd like extracted from that data. Then under "Configuration-->Distributed Forwarder Management" you define your groups to target which forwarders get what Streams.
Thanks for the reply.
Did you configure the Streams after configuring the streamfwd?
Yes, we have configured the streams and enabled "netflow" stream.
By default we have selected all the 154 fileds in "netflow" stream.
"Configuration-->Distributed Forwarder Management" - define your groups to target
Unable to find the 'streamfwd' here, under "Matched Forwarders".
(Initially, we added to 'default group', but later created a new group as well.)
Could there be any issues with the 'streamfwd' installation with curl?
any manual configuration updates are required in inputs.conf and streamfwd.conf?
Thanks a lot.
Did you configure HEC on your indexers receiving the data? Docs for it here: https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/InstallStreamForwarderonindepe.... You also need to have the inputs.conf on your indexers specifying how the data is coming in since it isn't from traditional Splunk2Splunk. The standalone streamfwd sends data via HEC so you need to configure a token, and add that token to your indexers and your forwarder. Your config on your inputs.conf on your indexer might look something like this:
[http://streamfwd]
disabled = 0
index = your_default_index
token = your_hec_token
indexes = _internal, main, other_indexes_that_this_token_can_send_to
Relevant inputs.conf docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_...
Does the stream add-on supports sending data to Indexers using S2S communication on port 9997?
The docs only seem to emphasize on showing integration using HEC