Hello, In a distributed environment with Universal Forwarder, Heavy Forwarder and Indexers, like this one: UF --> HF --> IDX How do you set useACK=true in outputs.conf ? Is it needed t...
...outeandfilterdatad. Or by directly setting the _TCP_ROUTING with inputs.conf on the UF. In outputs.conf we configure the two different destinations as in the example below. We see that in all Splunkdoc e...
...o I need to configure in the inputs.conf and outputs.conf of my heavy forwarders ? The outputs.conf on the HF will be configured to forward data to the indexers. Essentially, my question is what i...
...ervice restart I see port 9998 listening on the indexer. I added the following config to the outputs.conf of my forwarder:
[tcpout:production] server = myindexerfqdn:9998 useSSL = true
No data is g...
I have a cluster with a search head, master node, 2 indexers, and a deployment server. I am able to get the cluster to see new clients and push down updated .conf files, but I am having trouble h...
...nvironment with one search head, two clustered indexers, a Deployment Server/Cluster Master and a Heavy Forwarder.
When I look at the _internal index from the Search Head, I see data from all of the h...
...2 box. I have configured the indexer to listen on port 9997 and it reports it is properly doing so when I run splunk display listen . I have the forwarder pointed to the indexer on that same port b...
...eployment apps pushed down to these forwarders as follows:
App1 – indexer_config: Sets outputs.conf to point to indexer and defines clientCert and sslRootCAPath cert.
App2 – Splunk_TA_Windows: This App configure...
...ndexer 1- x.x.x.23
if I'm forwarding syslog data on udp 514, I have the following:
inputs.conf
[udp://514]
connection_host=dns
index=syslog
sourcetype=syslog
outputs.conf
[s...