Installation

Can we install and run 2 UF's in one single Windows VM Server?

Ashwini008
Contributor

Hi,

Our current requirement is to install 2 UF's of version 8.0.2 and 8.0.6 version in one single Windows VM Server.

We installed first UF in a normal way by following the splunk doc and When we try to install 2nd UF, it is installing in the same directory and updating the already installed UF version.

Is it possible to run two UF together in windows server? If so ,please let me know the steps and procedure to install.

I found this link have anyone tried and did it work by following these steps?https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html

Thanks

0 Karma

gcusello
Legend

Hi @Ashwini008,

why do you want to install two different UFs on the same machine?

Anyway, you can change the installation folder of the second installation and having in this way two running splunkd processes, but I don't understand the target of this idea.

if you want to do this, remember to manually modify the hostname in $SPLUNK_HOME\etc\system\local\server.conf and $SPLUNK_HOME\etc\system\local\inputs.conf in one of the two machines to be able to distinguish the hosts.

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello We are trying to install 2 UF in same machine and so the hostname will be same .I didnt get this point of changing hostname in server.conf and inputs.conf.

We tried installing first UF and changed the directory of that file and updated splunk-launch.conf as below 

SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder2
SPLUNK_SERVER_NAME=SplunkForwarder2

 Created new service with below command and deleted the old service and also changed the web port to 8090.By this method we were able to install the first UF 

SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder2
SPLUNK_SERVER_NAME=SplunkForwarder2

  But when we are trying to install the second UF ,it is trying to upgrade the previously installed UF instead of creating new directory to install 2nd UF but then ending up as not able to install.


0 Karma

gcusello
Legend

Hi @Ashwini008,

I continue to not understand why you want to do this, anyway, you should be able to change the installing directory of the second Forwarder installation, eventually, try to stop Splunk before running installation of the second Forwarder.

If you cannot, change the installation folder of the first installation using a different folder, stop Splunk Forwarder and try to install the second in the default folder.

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello Since we want to send the same data to two different environment(Splunk Setup) Hence we want to install two 2 UF in same machine.

We tried your steps of installing in different folder. First UF (8.0.2)got installed successfully as earlier but when we tried to install second UF(8.0.6) ,Instead of installing the second UF , it went and upgraded the first UF to 8.0.6 version from 8.0.2 version.


0 Karma

gcusello
Legend

Hi @Ashwini008,

as also @PickleRick said, you don't need two different Forwarders to send data to two different Splunk Environments, for this reason I didn't understand the reason of the second UF.

You can follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Route_inputs_to_sp...

In few words, you have to create an outputs.conf containing both the destinations.

If you want to send all the same data to both the Environaments, you can use an outputs.conf like this:

[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997

if instead you want to send different kind of data to the environments, you have to use an outputs.conf as above and also to modify inputs.conf adding the option _TCP_ROUTING to indicate to each input the destination environment.

Ciao.

Giuseppe

PickleRick
Ultra Champion

If I'm not mistaken (haven't tried it myself but the docs suggest so), you should be able to send the events to two separate outputs. So this requirement alone shouldn't prevent you from using a single UF.

I can, however, think of at least one scenario in which it could be the only feasible solution - sending two subsets of the same source to two different destinations. Since you can't do parsing/filtering on a UF, you can chose to only forward some events to one destination and some to another. So you have an option to either install a HF which - as the name suggests - is quite heavy or try to deploy two different instances of UF.

With linux I'd say just copy the installation directory and configure the systemd units properly. With Windows - I'm not that into windows services to be 100% sure how to do that but I'd also try installing one instance, then copying the directory into another place and doing splunk enable boot-start on both of them. It could work.

But it will be hard to maintain two such instances since the installer (in case of an upgrade) will know only of the one instance in the default path. You'd have to manually merge the changes into the secondary instance which could be tricky.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...