Getting Data In

system local folder vs forwarder local folder

splunkatl
Path Finder

In Heavyforwader if we go to SYSTEM directory we have Local and Default directories created by it self in which we have all the configuration files by default like( inputs.conf , output.conf , props.conf , transforms.conf , etc.,)

Now my question is why to enable SplunkForwarder for local directory and manually create all the configuration files (input.conf , output.conf, props.conf and transforms.conf ) ? and transfer the log data same as universal forwarder

why cant we forward the log data directly from system-->local directory to enterprise server...

plz correct me if there is any wrong.....

0 Karma
1 Solution

lguinn2
Legend

The directory structure for indexers, heavy forwarders and universal forwarders is the same. You can put configuration files in SPLUNK_HOME/etc/system/local or you can put them in an app SPLUNK_HOME/etc/apps/AppName/local.

You should only create or edit files in the local subdirectories. Never change the files in the default subdirectories.

For indexers, heavy forwarders and universal forwarders, the BEST PRACTICE is the same: put your configurations in an app directory SPLUNK_HOME/etc/apps/AppName/local not the system-level directories. This makes your configurations easier to manage. Many people use the "search" app directory for general configurations. Config files such as inputs.conf, outputs.conf, deploymentclient.conf, props.conf and transforms.conf should be placed in an app-level directory.

The only configurations that SHOULD go into the SPLUNK_HOME/etc/system/localdirectory are true system settings such as the host name setting (in server.conf) and port numbers (in web.conf and server.conf).

If you follow the best practice, then it is easy to copy the entire app from one system to another, and the systems will be configured the same.

View solution in original post

lguinn2
Legend

The directory structure for indexers, heavy forwarders and universal forwarders is the same. You can put configuration files in SPLUNK_HOME/etc/system/local or you can put them in an app SPLUNK_HOME/etc/apps/AppName/local.

You should only create or edit files in the local subdirectories. Never change the files in the default subdirectories.

For indexers, heavy forwarders and universal forwarders, the BEST PRACTICE is the same: put your configurations in an app directory SPLUNK_HOME/etc/apps/AppName/local not the system-level directories. This makes your configurations easier to manage. Many people use the "search" app directory for general configurations. Config files such as inputs.conf, outputs.conf, deploymentclient.conf, props.conf and transforms.conf should be placed in an app-level directory.

The only configurations that SHOULD go into the SPLUNK_HOME/etc/system/localdirectory are true system settings such as the host name setting (in server.conf) and port numbers (in web.conf and server.conf).

If you follow the best practice, then it is easy to copy the entire app from one system to another, and the systems will be configured the same.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...