Other Admin
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using vm's to set up splunk scenario

newsplunkuser
Loves-to-Learn
‎01-22-2025 09:18 AM

I'm trying to learn about splunk for an upcoming position. I recently purchased parallels so I could utilize windows vms. I was trying to set up an indexer on one vm and the forwarder on another and just mess around with splunks capabilities. Is this even possible? So far it hasn't worked and I have tried a few alterations on the output.conf file in the forwarder. since the VMs have the same public address, I tried to use the private address and I also tried to go by hostname and it still didn't work. Any suggestions?

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 11:14 AM

@newsplunkuser  - It is definitely possible. We have many production systems on VMs.

Verify below details first:

  • Each VM should have its own unique IP address (private or public).
  • One VM should be able to access IP address of other VM, if it is not, then that is a Networking issue, which needs to be fixed.
  • Install Splunk Enterprice on both the VMs

 

Once you verify above then you can configure Splunk to receive and forward data:

  • For Splunk Indexer Machine:
    • Setup Data Receiving from UI Settings
    • or
    • Setup Data receiving through inputs.conf
      • [splunktcp:9997]
  •  
  • For Splunk Forwarder Machine:
    • Setup Data Forwarding from UI Settings
    • or
    • Setup Data forwarding through outputs.conf

      • [tcpout]
        defaultGroup = my_indexer
        [my_indexer]
        server = <ip-of-indexer-vm>:9997

 

I hope this helps!!! Kindly upvote if it does!!!

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...