what's the significance of the add forward-server statement?
splunk add forward-server <host>:<port> -auth <username>:<password>
i'm documenting the forwarder install for some admins to read, and we previously had this step in there for a standalone deployment. i think we'll remove it though with our new distributed deployment.
according to the Answers and Docs it's optional, and i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed. it's just difficult for me to follow some of the docs because terminologies are used interchangeably and it sometimes becomes unclear.
I know this is a super old thread but I was wondering if you could clarify:
i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed.
Do you have some documentation on this process?
Any help is appreciated.
The CLI command in question is used to configure receiving endpoint on Universal Forwarder. More info is available here. I am not sure if this is what you're looking for, but this definitely is a good starting point.
In that case, you have to include outputs.conf with below settings, in your forwarder package.
## Syntax [tcpout-server://<ip address>:<port>] ## Example [tcpout-server://184.108.40.206:9997]
##Syntax: [tcpout:<target_group>] server = [<ip>|<servername>]:<port> ##Example: [tcpout:prod_indexer_group] server = https://yourIndexer1:9997, https://yourIndexer2:9997
Please have a look at my other answer for more details on above settings. HTH!