heavy forwarding

MK3 · ‎08-23-2024

hello,

as per https://docs.splunk.com/Documentation/Splunk/9.3.0/Forwarding/EnableforwardingonaSplunkEnterpriseins...

where are the files like outputs, props and transforms stored? i am using splunk web enterprise.

Also where is my $splunk_home? am trying to setup heavy forwarding to send indexed data to a database on a schedule.

thanks

gcusello · ‎08-23-2024

Hi @MK3 ,

sorry but there's some confision in your question:

to forward data from Forwarders to Splunk Enterprise you have to follow the instructions at:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding

https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Forwarddata

to forward data you need outputs.conf that can be in $SPLUNK_HOME/etc/system/local or a dedicated app.

to take logs, you need inputs.conf that's in the same folder.

props.conf and transforms.conf are in the same folder, but usually aren't relevant on Forwarders (if Universal)

$SPLUNK_HOME is the folder where you installed Splunk, by default it's C:\Program Files\splunk on Windows and /opt/splunk on Linux.

You cannot send indexed data from an Heavy Forwarder, because it doesn't index data, but maybe you mean coocked data: you can send coocked (or uncooked data) to a third party using syslog.

To send data to an external database you must use DB-Connect on Search Heads, but it's a different thing.

Ciao.

Giuseppe

heavy forwarding

lookup

stats

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

heavy forwarding

lookup

stats

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives