Hello everyone, background: I want to create new Splunk environment. i'm still in a learning process - i'm new to splunk. My environment today includes: - 3 indexers - 3 search heads - 1 cluster master that also serves as a License master - 1 Universal forwarder ** [ All servers are Linux servers ] ** ___________________________________________________________________________ I want to build my Splunk environment in a "Cluster configuration mode": I want to send data from the universal forwarder to the Cluster master, and from there to my indexers. My main target is to collect logs from different application servers [by sending me syslog or http] in order to monitor their status: I want to create a unique index for each app: for example, the logs that are sent from an app called app1 will go into an index called "index_app1" ___________________________________________________________________________ I would like to get help with those following questions: 1. How can i check if the cluster master know the universal forwarder? How do I check it? 2. I want to understand how I configure in the "Inputs.conf file" of a my universal forwarder: I want to allow each app to send logs to uf in different port [in tcp or in udp]: for example: - Application A will send logs to my universal-forwarder in port 4928 , application B will send logs to my universal-forwarder in port 4929 3. How can I send the messages to the cluster master and to recognize what the correct index which the messages belong: All messages that which sent from application A will be under index_app1 All messages that which sent from application B will be under index_app2 Thank you for help!
... View more