We have a windows forwarder running on vm02, and forwarding data to vm01 which is the main Splunk Enterprise.
we configured the inputs and props.conf in the vm02 forwarder level, so far we are able to search the events in vm01, coming from the vm02. But when we go to sourcetypes or inputs link in the vm01 GUI. We dont see any sourcetypes or inputs that are configured at forwarder level. But we are able to search the events using the forwarder sourcetypes in the vm01.
How to make vm01 GUI to show the vm02 sourcetypes and inputs ?
In order for configurations on a forwarder to be seen on another solunk instance, you would need to put the config files on said instance (in this case vm01.
The best way to handle management of configurations is through apps, or in this case, what would be referred to as a technical add-on (TA).
Beyond the nomenclature, an "app" is simply a directory containing configuration files.
In this case, simply copy the props.conf to vm01 under $SPLUNK_HOME/etc/apps//local
This will take you into various Splunk adventures, including file precedence, so be sure to poke through the admin docs i posted above to get a primer on how to work with configs and apps!
If I keep the vm02 config files in the vm01 then splunk would assume and consider the vm02properties in vm01 isn't? For instance, I have a app called "product apps", and I brought the vm02 configs and kept along with vm01 configs under that app. So splunk will consider the config from the vm01 not from forwarder. so the data will be indexed directly from vm01 not from vm02. Sounds confusing
I recommend you take a look at our documentation regarding how indexing works.
When you deploy configurations in a distributed environment, you need to provide the forwarder and the indexers with configurations for your sourcetypes to account for different parts of the indexing pipeline.
The short answer to your concerns is...no, you will not "override" the forwarder configurations.
Both the vms will work in concert to do their part of the task.