Remotely deploy universal forwarder so that it for...

rajbahak · ‎02-08-2012

Hello,

I need to be able to configure universal forwarder with more than one indexing server from the command line.

The example below has only one receiving indexer. What is the best way to configure more than one receiving index server from the command line?

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997"

Thanks a lot for your time/help.

rajbahak · ‎02-09-2012

Hey Takajian,

Thanks for your reply. I am aware of the outputs.conf configuration that you've mentioned above. I was interested to know if the same could be achieved from a command line so that I did not have to go and edit the conf file after installing the universal forwarder..

Thanks again

Takajian · ‎02-08-2012

You can forward data to cloned targets. But you need to configure outputs.conf.

The following configuration should enable cloning. Set the following in outputs.conf:

[tcpout]
defaultGroup = group1, group2 # Clone data to group1 and group2

[tcpout:group1]
server = indexer1:9997

[tcpout:group2]
server = indexer2:9997
sendCookedData = false # Send raw TCP data(logs read by splunk)

Remotely deploy universal forwarder so that it forwards data two multiple inderxers

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation