Getting Data In
Highlighted

how can i enable forwarding using a heavy forwarder with outputs.conf?

Path Finder

Actually I want to ask that what is the equivalent of this command?:

splunk enable app SplunkForwarder -auth <username>:<password>

I saw the indexAndForward option, but it's not the equivalent the command above, isn't it? with this option,Splunk indexes all data locally, in addition to forwarding it. is not there any option only to forward?

Is it just enough to use the [tcpout-server://<ip address>:<port>] option to forward data? Is this option an equivalent?

adding: I want to separate data pipeline1 segments from each other. especially "input, parsing" and "indexing". How do I build a structure to achieve this?

Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Legend

Hi sayz,
as you can see http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Aboutforwardingandreceivingdata to enable forwarding you have to create an outputs.conf file.
It could be inserted in $SPLUNKHOME/etc/system/local or (better) in an App (called e.g. TAForwarder) distributed using a Deployment Server.
Your outputs.conf must be something like this (for two indexers in auto load balancing):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xxx.xxx.xxx.xxx:9997]
[tcpout-server://yyy.yyy.yyy.yyy:9997]


[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled=false

If you want, you could also use SSL as communication protocol between Forwarders and Indexers.

indexAndForward option must be used if you want to save a local version of logs, if you don't use it, all the logs are forwarded to the Indexers.

Bye.
Giuseppe

View solution in original post

Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Path Finder

thank you cusello;

and what about parsing? i have to enable it as well? or will the heavy forwarder parse my data automatically?

firstly i want to use HF to get and parse my data. after that i want to forward my data via HF.

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Legend

You can parse your data on your Heavy Forwarders or on your Indexers not in your Universal Forwarders.
To enable parsing you have to create props.conf and transforms.conf files.
If you don't configure your parsing, Splunk applies default parsing.
See at https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/WhatSplunkdoeswithyourdata
Bye.
Giuseppe

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Path Finder

so,
if i don't configure parsing, my HF will parse my data with default parsing, right? Because the HF is a full splunk enterprise instance that comes with a default props.conf and transforms.conf, isn't it?

for example;

Host A: this is the machine that i want to get its logs. a web server for example.
Splunk Cloud: My indexer.

I want to parse my data in Host A and splunk cloud must only index them. not parsing.

In this situation,
Only I have to enable forwarding HF in Host A and that's all, right? because the props.conf and transforms.conf files already exist.

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Legend

If you don't configure parsing you don't parse anything, you index all logs with default options.
Bye.
Giuseppe

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Path Finder

hi;

but if i install a splunk enterprise it's working automatically. why? i did not make any parsing configuration but it parsed my data and indexed them. why HF does not work like this?

sorry but I think I'm confused.

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Legend

An Heavy Forwarder is a full Splunk Enterprise installation in which logs are forwarded to indexers.
There is no software difference between them, only configuration differences.
If you use an Heavy Forwarder with no parsing configurations, it forwards logs without any action on them.
Bye.
Giuseppe

0 Karma
Highlighted

Re: how can i enable forwarding using a heavy forwarder with outputs.conf?

Path Finder

ok,

i think i got it 🙂

if i want to make parsing in HF I just need to copy the configuration files from default files.

0 Karma