Actually I want to ask that what is the equivalent of this command?:
splunk enable app SplunkForwarder -auth <username>:<password>
I saw the
indexAndForward option, but it's not the equivalent the command above, isn't it? with this option,Splunk indexes all data locally, in addition to forwarding it. is not there any option only to forward?
Is it just enough to use the
[tcpout-server://<ip address>:<port>] option to forward data? Is this option an equivalent?
adding: I want to separate data pipeline1 segments from each other. especially "input, parsing" and "indexing". How do I build a structure to achieve this?
as you can see http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Aboutforwardingandreceivingdata to enable forwarding you have to create an outputs.conf file.
It could be inserted in $SPLUNKHOME/etc/system/local or (better) in an App (called e.g. TAForwarder) distributed using a Deployment Server.
Your outputs.conf must be something like this (for two indexers in auto load balancing):
[tcpout] defaultGroup = default-autolb-group [tcpout-server://xxx.xxx.xxx.xxx:9997] [tcpout-server://yyy.yyy.yyy.yyy:9997] [tcpout:default-autolb-group] server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997 disabled=false
If you want, you could also use SSL as communication protocol between Forwarders and Indexers.
indexAndForward option must be used if you want to save a local version of logs, if you don't use it, all the logs are forwarded to the Indexers.
thank you cusello;
and what about parsing? i have to enable it as well? or will the heavy forwarder parse my data automatically?
firstly i want to use HF to get and parse my data. after that i want to forward my data via HF.
You can parse your data on your Heavy Forwarders or on your Indexers not in your Universal Forwarders.
To enable parsing you have to create props.conf and transforms.conf files.
If you don't configure your parsing, Splunk applies default parsing.
See at https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/WhatSplunkdoeswithyourdata
if i don't configure parsing, my HF will parse my data with default parsing, right? Because the HF is a full splunk enterprise instance that comes with a default props.conf and transforms.conf, isn't it?
Host A: this is the machine that i want to get its logs. a web server for example.
Splunk Cloud: My indexer.
I want to parse my data in Host A and splunk cloud must only index them. not parsing.
In this situation,
Only I have to enable forwarding HF in Host A and that's all, right? because the props.conf and transforms.conf files already exist.
If you don't configure parsing you don't parse anything, you index all logs with default options.
but if i install a splunk enterprise it's working automatically. why? i did not make any parsing configuration but it parsed my data and indexed them. why HF does not work like this?
sorry but I think I'm confused.
An Heavy Forwarder is a full Splunk Enterprise installation in which logs are forwarded to indexers.
There is no software difference between them, only configuration differences.
If you use an Heavy Forwarder with no parsing configurations, it forwards logs without any action on them.
i think i got it 🙂
if i want to make parsing in HF I just need to copy the configuration files from default files.