Getting Data In

Via CLI why did "add forward-server" work and "add search-server" failed?

haway
Engager

Why i use "add forward-server" is work, but "add search-server" failed?

[root@proxy splunkforwarder]# bin/splunk help commands
[skip...]
[command] [objects]

    add                 [exec|forward-server|index|licenser-pools|licenses|monitor|oneshot|
                        saved-search|search-server|tcp|udp|user]

[root@proxy splunkforwarder]# bin/splunk add forward-server xxx.xxx.xxx.xxx:9001
Added forwarding to: xxx.xxx.xxx.xxx:9001.
[root@proxy splunkforwarder]# bin/splunk add search-server xxx.xxx.xxx.xxx:9001
Command error: The subcommand 'search-server' is not valid for command 'add'.
Data forwarding configuration management tools.
Commands:
enable local-index [-parameter ] ...
disable local-index [-parameter ] ...
display local-index
add [forward-server|search-server] server
remove [forward-server|search-server] server
list [forward-server|search-server]
Objects:
forward-server a Splunk forwarder to forward data to be indexed
search-server a Splunk server to forward searches
local-index a local search index on the Splunk server
[root@proxy splunkforwarder]#

Thanks!

Lamar
Splunk Employee
Splunk Employee

It likely has to do with the fact that you shouldn't be 'searching' from your forwarder. The forwarders job is to feed data to the indexing layer of splunk which would be, in this case, a search-server.

If you've defined this 'splunkforwarder' server to simply be a forwarder, you won't be able to really search from it anyway.

0 Karma

haway
Engager

thanks for your help.

I try to add "search-server", because i can't forward data to splunk server.
I found really problem is incorrect setting in splunk server.

It's work now! ^_^

Anyway, Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...