Getting Data In

can a universal forwarder serve as a relay between another forwarder and the indexer?

matt
Splunk Employee
Splunk Employee

Can I have a universal forwarder collect data from other universal forwarders and then send that off to the indexer?

1 Solution

Steve_G_
Splunk Employee
Splunk Employee

jbsplunk
Splunk Employee
Splunk Employee

So, it will work as an relay for things like syslog, and probably for very simple file monitoring use cases similar to syslog type configurations. It is not intended to work for Splunk2Splunk communication, and you will run into problems with attempting this type of a configuration. Thanks to Steve in Splunk doc's for dropping me an email with the clarifications.

Steve_G_
Splunk Employee
Splunk Employee

Yes, you can.

Steve_G_
Splunk Employee
Splunk Employee

There was some controversy about this a while ago, so pardon the confusion, but, yes, that topology should work.

If you're running into issues getting it to work, I suggest you pose a new question in Answers, with the specifics of your configuration.

0 Karma

asingla
Communicator

Hi Steve G,

I am confused by the answer. Do you mean the below topology will not work? I have the latest version 4.2.3.

Program -> Universal forwarder -> Universal Forwarder (Intermediate) -> Main Indexer

'->' the flow of TCP message originated from the Program.

The table says 'Yes' against 'Serves as intermediate forwarder?' for Universal Forwarder.

I am asking this as this setup is not working for me right now. I am not sure if I didn't configure it properly or it does not work.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

Here's a chart with the capabilities of all the types of forwarders:

http://www.splunk.com/base/Documentation/latest/Deploy/Typesofforwarders#Forwarder_comparison

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...