Solved: Using UF to forward data to local Heavy Forwarder ...

damo66a · ‎04-29-2021

I may have missed a topic in my search but is there a way to do the following (im also fairly new to Splunk so be gentle 😁 )

We have a server locked down on our network and has no outside access but we can configure internal (server to server) access.

Is there a way to use a Universal Forwarder on that server to forward to the local on prem Heavy Forwarder and then relay those to our Splunk Cloud?

Thanks in advance

aasabatini · ‎04-29-2021

Hello @damo66a again,

yes you can configure the uf to send to HF and in the end at splunkcloud

be careful to to configure your outputs.conf

suggestion, if you have a huge size of eventdata you can think to use 2 hf to use the splunk load-balancing options

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

aasabatini · ‎04-29-2021

Hello @damo66a again,

yes you can configure the uf to send to HF and in the end at splunkcloud

be careful to to configure your outputs.conf

suggestion, if you have a huge size of eventdata you can think to use 2 hf to use the splunk load-balancing options

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

damo66a · ‎05-06-2021

worked a treat. thanks for your help

Using UF to forward data to local Heavy Forwarder and then on to Cloud