I believe by "cluster configuration mode" you are referring to the "indexer cluster" and and "indexer discovery" features of Splunk. An indexer cluster enables indexers to hold backup copies of each other's data in case of the failure of an indexer. Indexer Discovery is where servers with data to send to an indexer consult the Cluster Master (CM) to find out which indexer to use. In no case does data flow through the CM. The Cluster Master is a manager, not a conduit. Apps that send data in syslog or HTTP format should not be talking to a universal forwarder as a UF understands neither protocol. For syslog, the apps should be sending to a dedicated syslog server which saves the data to disk files. The UF then monitors those disk files and sends the data to indexers. Alternatively, you could use the Splunk Connect for Syslog product to collect syslog data and forward it directly to the indexers. For HTTP, apps should send to a heavy forwarder (HF) with HTTP Event Collector (HEC) enabled. Another option is to enable HEC on your indexers and use a load balancer to distribute the events evenly among the indexers. It adds no value to prefix index names with "index_". To answer your questions: 1) The CM does not know about universal forwarders. That's the job of the Monitoring Console and, optionally, the Deployment Server. 2) To learn how to configure inputs on a UF, see https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder As mentioned above, you will not be configuring input ports and the UF. 3) Applications do not send messages to the CM. As already mentioned, applications send data to forwarders, indexers, or syslog servers. The index to which data should be written is defined in the inputs.conf file on the forwarder or in the HEC stream.
... View more
