Splunkforwarder HEC input/output to another splunk...

Installation

Hello,

i'm triing to use an UF to forward HEC from internet data to another UF in our DMZ

look like :

httplistner input (UF1) httpout output --> httplistner input (UF2 in DMZ) S2S output --> Splunk enterprise in lan

if i curl both of http listener i got success,

curl -k -u "x:TOKEN" "https://UF1:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

curl -k -u "x:TOKEN" "https://UF2:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

But i got events in my splunk indexeur only on the second curl, the first one look like the output never forward to the UF2...

Nothing in both uf1-2 logs about errors.

My /opt/splunkforwarder/etc/system/local/outputs.conf on UF1 look like:

[tcpout]
defaultGroup = default-autolb-group
disabled = 1

[httpout]
disabled = 0
httpEventCollectorToken = MYTOKEN
uri = https://UF2-IP:8088
batchSize = 65536
batchTimeout = 5

Thks for help !!

Flo V.

Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...