how to send UF to on-perm and cloud

narenpg · ‎12-05-2024

We have currently configured to send the logs to splunk cloud also we are setting up a DR on-perm server, now the question is how to configure the UF to send to both the cloud and DR (On-Perm). NO issues with the cloud environment. Is it possible to send it to both? On the UF the certificate is for splunk cloud and i am not sure how to add our on-perm certificate.

narenpg · ‎12-06-2024

Thanks. We have one perm license too. This on-perm env will be used for 2 days every quarter.

PickleRick · ‎12-05-2024

Well, as @gcusello already pointed out - you'd be paying for both your Cloud ingest volume and your on-prem volume. If that's fine with you...

There are other possible issues though and whether you can do that depends on how you're sending your data.

1) You can't specify multiple httpout stanzas in your forwarder. So if you want to send using s2s over http, tough luck.

2) I'm not sure but I seem to recall that you can't send both to tcpout and httpout (you might try to search this forum for details)

3) So we're left with two splunktcp outputs. It should work but remember that blocking one output blocks both outputs.

4) It also gets even more tricky to maintain if you want to selectively forward data from separate inputs - you have to remember which inputs to route to which outputs.

gcusello · ‎12-05-2024

Hi @narenpg ,

yes, it's possible but you pay twice the Splunk license.

You have to modify the outputs.conf to create a fork.

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Forwarding/Routeandfilterdatad

Ciao.

Giuseppe

how to send UF to on-perm and cloud

SSL

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services