Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to export forwarder configuration

xabidh
New Member
‎10-09-2015 01:21 AM

Hi,

I have installed the forwarder in DC and other server as Indexer.
I do not know how was installed.
I would like to export Forwarder configuration because I have to install a new Forwarder with the same configuration to delete the old one.
What files need to be copied / check?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimagu
Builder
‎10-09-2015 07:00 AM

This is usually configured inside the SplunkForwarder app

$SPLUNK_HOME/etc/apps/SplunkForwarder

but it may be that you configured it in a different way...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xabidh
New Member
‎10-13-2015 03:18 AM

Ok, thanks.

Is necessary change something in the Indexer server?

0 Karma
Reply
Solved! Jump to solution

stmyers7941
Path Finder
‎10-13-2015 08:51 AM

The indexer needs to have an inputs.conf with [splunktcp://9997] stanza. You can check to see if your indexer is listening with netstat (assuming nix):
~ $ netstat -tnlp | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 24504/splunkd

0 Karma
Reply
Solved! Jump to solution

xabidh
New Member
‎10-14-2015 10:42 AM

I already have this sentece in inputs.conf.
I supposed that is not needed in the Indexer point to Forwarder...
I see with the comand "netstat -a" something like that:
TCP [IP of indexer]:9997 [IP of forwarder]:62244

Thanks

0 Karma
Reply
Solved! Jump to solution

vincenteous
Communicator
‎10-10-2015 08:58 AM

Hi xabidh,

If you want to implement existing configurations from old forwarder to the new one, I suggest you copy the entirety of $SPLUNK_HOME/etc folder. Copying this folders means you copy all installed apps of old forwarder, inputs.conf, outputs.conf, authentication, and other configurations which has previously been defined on the old one.

0 Karma
Reply
Solved! Jump to solution
Solution

asimagu
Builder
‎10-09-2015 07:00 AM

This is usually configured inside the SplunkForwarder app

$SPLUNK_HOME/etc/apps/SplunkForwarder

but it may be that you configured it in a different way...

0 Karma
Reply
Solved! Jump to solution

xabidh
New Member
‎10-10-2015 12:23 AM

Hi,
I have checked all files inside this folder C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder but I cannot find the file where its configured the indexer. What is the file name where should be contained the IP/name of indexer server?

Regards

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-10-2015 01:40 AM

check any available outputs.conf on your forwarder

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...