Splunkforwarder HEC input/output to another splunk...

Installation

Hello,

i'm triing to use an UF to forward HEC from internet data to another UF in our DMZ

look like :

httplistner input (UF1) httpout output --> httplistner input (UF2 in DMZ) S2S output --> Splunk enterprise in lan

if i curl both of http listener i got success,

curl -k -u "x:TOKEN" "https://UF1:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

curl -k -u "x:TOKEN" "https://UF2:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

But i got events in my splunk indexeur only on the second curl, the first one look like the output never forward to the UF2...

Nothing in both uf1-2 logs about errors.

My /opt/splunkforwarder/etc/system/local/outputs.conf on UF1 look like:

[tcpout]
defaultGroup = default-autolb-group
disabled = 1

[httpout]
disabled = 0
httpEventCollectorToken = MYTOKEN
uri = https://UF2-IP:8088
batchSize = 65536
batchTimeout = 5

Thks for help !!

Flo V.

Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community, We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...