Why i use "add forward-server" is work, but "add search-server" failed?
[root@proxy splunkforwarder]# bin/splunk help commands
add [exec|forward-server|index|licenser-pools|licenses|monitor|oneshot| saved-search|search-server|tcp|udp|user]
[root@proxy splunkforwarder]# bin/splunk add forward-server xxx.xxx.xxx.xxx:9001
Added forwarding to: xxx.xxx.xxx.xxx:9001.
[root@proxy splunkforwarder]# bin/splunk add search-server xxx.xxx.xxx.xxx:9001
Command error: The subcommand 'search-server' is not valid for command 'add'.
Data forwarding configuration management tools.
enable local-index [-parameter
disable local-index [-parameter
add [forward-server|search-server] server
remove [forward-server|search-server] server
forward-server a Splunk forwarder to forward data to be indexed
search-server a Splunk server to forward searches
local-index a local search index on the Splunk server
It likely has to do with the fact that you shouldn't be 'searching' from your forwarder. The forwarders job is to feed data to the indexing layer of splunk which would be, in this case, a search-server.
If you've defined this 'splunkforwarder' server to simply be a forwarder, you won't be able to really search from it anyway.
thanks for your help.
I try to add "search-server", because i can't forward data to splunk server.
I found really problem is incorrect setting in splunk server.
It's work now! ^_^