Getting Data In

how can i enable forwarding using a heavy forwarder with outputs.conf?

sayz
Path Finder

Actually I want to ask that what is the equivalent of this command?:

splunk enable app SplunkForwarder -auth <username>:<password>

I saw the indexAndForward option, but it's not the equivalent the command above, isn't it? with this option,Splunk indexes all data locally, in addition to forwarding it. is not there any option only to forward?

Is it just enough to use the [tcpout-server://<ip address>:<port>] option to forward data? Is this option an equivalent?

adding: I want to separate data pipeline1 segments from each other. especially "input, parsing" and "indexing". How do I build a structure to achieve this?

1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi sayz,
as you can see http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Aboutforwardingandreceivingdata to enable forwarding you have to create an outputs.conf file.
It could be inserted in $SPLUNK_HOME/etc/system/local or (better) in an App (called e.g. TA_Forwarder) distributed using a Deployment Server.
Your outputs.conf must be something like this (for two indexers in auto load balancing):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xxx.xxx.xxx.xxx:9997]
[tcpout-server://yyy.yyy.yyy.yyy:9997]


[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled=false

If you want, you could also use SSL as communication protocol between Forwarders and Indexers.

indexAndForward option must be used if you want to save a local version of logs, if you don't use it, all the logs are forwarded to the Indexers.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi sayz,
as you can see http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Aboutforwardingandreceivingdata to enable forwarding you have to create an outputs.conf file.
It could be inserted in $SPLUNK_HOME/etc/system/local or (better) in an App (called e.g. TA_Forwarder) distributed using a Deployment Server.
Your outputs.conf must be something like this (for two indexers in auto load balancing):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xxx.xxx.xxx.xxx:9997]
[tcpout-server://yyy.yyy.yyy.yyy:9997]


[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled=false

If you want, you could also use SSL as communication protocol between Forwarders and Indexers.

indexAndForward option must be used if you want to save a local version of logs, if you don't use it, all the logs are forwarded to the Indexers.

Bye.
Giuseppe

sayz
Path Finder

thank you cusello;

and what about parsing? i have to enable it as well? or will the heavy forwarder parse my data automatically?

firstly i want to use HF to get and parse my data. after that i want to forward my data via HF.

0 Karma

gcusello
SplunkTrust
SplunkTrust

You can parse your data on your Heavy Forwarders or on your Indexers not in your Universal Forwarders.
To enable parsing you have to create props.conf and transforms.conf files.
If you don't configure your parsing, Splunk applies default parsing.
See at https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/WhatSplunkdoeswithyourdata
Bye.
Giuseppe

0 Karma

sayz
Path Finder

so,
if i don't configure parsing, my HF will parse my data with default parsing, right? Because the HF is a full splunk enterprise instance that comes with a default props.conf and transforms.conf, isn't it?

for example;

Host A: this is the machine that i want to get its logs. a web server for example.
Splunk Cloud: My indexer.

I want to parse my data in Host A and splunk cloud must only index them. not parsing.

In this situation,
Only I have to enable forwarding HF in Host A and that's all, right? because the props.conf and transforms.conf files already exist.

0 Karma

gcusello
SplunkTrust
SplunkTrust

If you don't configure parsing you don't parse anything, you index all logs with default options.
Bye.
Giuseppe

0 Karma

sayz
Path Finder

hi;

but if i install a splunk enterprise it's working automatically. why? i did not make any parsing configuration but it parsed my data and indexed them. why HF does not work like this?

sorry but I think I'm confused.

0 Karma

gcusello
SplunkTrust
SplunkTrust

An Heavy Forwarder is a full Splunk Enterprise installation in which logs are forwarded to indexers.
There is no software difference between them, only configuration differences.
If you use an Heavy Forwarder with no parsing configurations, it forwards logs without any action on them.
Bye.
Giuseppe

0 Karma

sayz
Path Finder

ok,

i think i got it 🙂

if i want to make parsing in HF I just need to copy the configuration files from default files.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...