Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal forwarder installation on a splunk server?

Lwoods
Path Finder
‎05-17-2023 08:14 AM

Hello, 

I'm reading the Forwarder Management manual and it states " Do not install the universal forwarder over an existing installation of full Splunk Enterprise."

What does this mean?

My goal is to install a universal forwarder on a Linux host, to monitor its /var/log directory.  However, the host has the Splunk search head server installed on it.   Can this be done, without crashing the search head server?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 08:41 AM

Hi @Lwoods,

it isn't a crashing problem: there isn't no utility to install a UF on a server where it's already installed a full Splunk instance.

You can take the local logs and forward them to Indexers without the UF.

In addition there could be some problem using a Deployment Server.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Lwoods
Path Finder
‎05-17-2023 08:44 AM

For a regular linux host,  do I have to create a user and group when installing UF, 

The manual says

1. Login as ROOT to the machine that you want to install the Splunk Universal Forwarder.
Create the Splunk user and group.
useradd -m splunk
groupadd splunk
2.
Install the Splunk software, as described in the installation instructions for your platform in Installation instructions.
Create the $SPLUNK_HOME directory wherever desired.
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎05-17-2023 06:16 PM

Hi @Lwoods 

>> For a regular linux host,  do I have to create a user and group when installing UF

Yes, we should not run splunk agent thru a root user or any admin users.. so its always better to create a regular user, mostly called as "splunk" and group as well, and then we should install the UF.. 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 08:44 AM

Hi @Lwoods ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 08:42 AM

Installing a Universal Forwarder (UF) and a full Splunk instance (such as a search head) on the same machine is not a simple process.  Steps must be taken to avoid conflicts between the two.

Fortunately, it is totally unnecessary to install a UF on a SH.  That's because a SH is capable of everything a UF can do.

To monitor the SH's /var/log directory, simply add an input that does so.  Go to Settings->Data inputs->Files & Directories then click the "New Local File & Directory" button.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

tan_junyuan
Engager
‎01-28-2024 06:33 PM

it is totally unnecessary to install a UF on a SH ->Requirements are determined by policies, so if policy says that it is required to forward all Splunk components to central Splunk for monitoring, then it is necessary.

 

We have a use-case that also requires us to install Splunk UF in all the components: Indexers, Search Heads, Deployment servers.

I believe forwarders itself can dual-pipe, however whether it can choose certain index to pipe, I am not very sure.

e.g 

Index 1,2,3 only  -pipe to central Splunk

All indexes - pipe to local Splunk

 

 

0 Karma
Reply
Solved! Jump to solution

Lwoods
Path Finder
‎06-09-2023 10:46 AM

So, to monitor my linux box that has a Splunk Instance on it,  I cannot install a forwarder on it.  Instead I do:

1. go to data inputs,

2. Files and directories

Do I enable the /var/log directory to get the linux logs?

If I enable it, will it conflict with anything?

Also, can I do this with Indexer, and the Deployment Server?

Thanks

 

 

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎06-09-2023 03:05 PM

So, to monitor my linux box that has a Splunk Instance on it,  I cannot install a forwarder on it.  

yes, when you already have a splunk HF or splunk indexer or search head, you should not install a UF on that system. 

to check if the var log directory is already onboarded or not,.. maybe you can check the DMC for that particular system and if you see details about that system, then, most probably the var logs are already being indexed. 

if the var logs are not being indexed, then, you can enable it as you were saying on data inputs. 


If I enable it, will it conflict with anything?

nope.. it will not conflict with anything. it will be a simple task and it wont give issues conflicts to you. 

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 08:41 AM

Hi @Lwoods,

it isn't a crashing problem: there isn't no utility to install a UF on a server where it's already installed a full Splunk instance.

You can take the local logs and forward them to Indexers without the UF.

In addition there could be some problem using a Deployment Server.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...