Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunkforwarder HEC input/output to another splunkforwarder

fsource
New Member
‎04-14-2021 10:01 AM

Hello,

i'm triing to use an UF to forward HEC from internet data to another UF in our DMZ

look like :

httplistner input (UF1) httpout output  --> httplistner input (UF2 in DMZ) S2S output --> Splunk enterprise in lan

if i curl both of http listener i got success, 

curl -k -u "x:TOKEN" "https://UF1:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

curl -k -u "x:TOKEN" "https://UF2:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

But i got events in my splunk indexeur only on the second curl, the first one look like the output never forward to the UF2... 

Nothing in both uf1-2 logs about errors. 

My /opt/splunkforwarder/etc/system/local/outputs.conf on UF1 look like:

[tcpout]
defaultGroup = default-autolb-group
disabled = 1

[httpout]
disabled = 0
httpEventCollectorToken = MYTOKEN
uri = https://UF2-IP:8088
batchSize = 65536
batchTimeout = 5

 

Thks for help !!

Flo V.

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top