Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: Repointing Universal forwarder to new heavy fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Repointing Universal forwarder to new heavy forwarder in Windows
Can I repoint universal forwarder to new heavy forwarder in windows without reinstalling the agent?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Yes you can do it. That information is on outputs.conf. It depends how your UF has configured where you found the correct outputs.conf. You can try to find it on cmd line with command
.....\splunk cmd btool outputs list --debug
That shows where that file is.
There could be a static definition (point to some named/ip based hosts) or indexer discovery (point to CM). You must just replace that to point it to your named HF (heavy forwarder) and preferably there is at least two HF nodes. Also you must think should you add IndexAck there to ensure that UF will get confirmation when data is written to indexers disks, otherwise HF told that it has gotten it, but there is no information what has happened to it after that.
If you are using splunk DS then there is probably own app (server class) for basic configuration where this outputs.conf is one part. In that case just create a new app/TA on DS with proper configuration and change it to that client's use.
r. Ismo
- https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Configureanintermediateforwarder
- https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver
- https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Definedeploymentclasses
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. But then you hf will have to accept inputs on splunktcp like indexers rather than TCP.
On SUF just point it to indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry what is SUF? I found output.conf at following location where I see my old HF IP C:\Program Files\SplunkUniversalForwarder\etc\apps\DS_dw_Outputs\local. If I stop services and modify this file to point to new HF IP and restart services, would that work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
add the config i gave on the splunk forwarder location commenting out old config.
onf HF you have to make changes too add the config i have given in inputs.conf either in app you are using or in local directory of splunk_home/etc/system/local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok on splunk forwarder (SUF) splunk universal forwarder
if you are using an app add this there
outputs.conf
[tcpout]
defaultGroup=hf
[tcpout:hf]
autoLBFrequency=40
server=ip:port
useACK=true
indexandforward=false
on HF
inputs.conf
[splunktcp://port]
disabled = 0
index= your index
if you are using an app like
SplunkTA windows input will go in local directory if not there already create one and add inputs.conf
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
