Hi,
I am new to Splunk and needs to take care of existing Splunk setup. I am trying to forward large CSV file from Universal Forwarder(UF) to Heavy Forwarder(HF) and then indexer.
Our existing setup is 1 MA , 2 HF, 2 SH and 2 INX. right now I am forwarding live logs from Arcsight server (non splunk forwarder) to HF which divide into 10 different indexes based on data type.
Without disturbing the above setup I want to forward large CSV files (5-10MB) from Linux server using UF.
See below the config settings that I did so far, I am receiving events on HF but not sure how to redirect them to a specific index.
on Universal forwarder
**input.conf**
[default]
host = server1.mydomain.com
[monitor://opt/client/reports/archive/Splunk/]
sourcetype = csv
index = main
**Output.conf**
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = hfserver2.mydomain.com:6514
[tcpout-server://hfserver2.mydomain.com:6514]
On Heavy Forwarder
**input.conf**
[default]
host = hfserver2.mydomain.com
# receive events from the ArcSight Forwarding connector
[tcp:4514]
disabled = 0
sourcetype = cefevents
#For Reports (to receive events from Splunk universal forwarder )
[splunktcp:6514]
disabled = 0
sourcetype = csv
**Output.conf** (I haven't made any changes here )
# use indexer discovery to identify the Indexers dynamically
[indexer_discovery:splunk_master]
pass4SymmKey = ********************************
master_uri = https://ma1server.mydomain.com:8089
# don't index any events on the Heavy Forwarder, just forward events to the Indexers
[indexAndForward]
index = false
[tcpout]
defaultGroup = SplunkIndexers
[tcpout:SplunkIndexers]
# identify which Indexers to send events to by querying the master node
indexerDiscovery = splunk_master
With this setup, I am receiving events on HF (verified via tcpdump) but I can't see it on the indexer. I think its getting discarded.
I am doing all the changes in config files since I don't know how to do it on Master's web UI.
Please help me.
Thanks in advance
... View more