Splunk Enterprise

How can i send the same data from one universal forwarder to multiple universal forwarder ?

super_saiyan
Communicator

hi all,

how can i send the same data from one universal forwarder to multiple universal forwarder ?

is there a way to configure this ? if yes, please tell me the process.

Labels (1)
0 Karma
1 Solution

mayurr98
Super Champion

Yes you can but it will hit the license meter twice so you need to cautious about that. 

please see below example

 

[tcpout:uf1]
server = xxx.xxx.xxx.xxx:9997
disabled = false
[tcpout-server://xxx.xxx.xxx.xxx:9997]

[tcpout:uf2]
server=yyy.yyy.yyy.yyy:9997
disabled = false
[tcpout-server://yyy.yyy.yyy.yyy:9997]

.

View solution in original post

mayurr98
Super Champion

it should be the same way you generally forward data to indexing tier

 

[tcpout]
defaultGroup = uf_tier

[tcpout:uf_tier]
server=uf1:9997,uf2:9997,... so on.

 

Refer:

https://community.splunk.com/t5/Getting-Data-In/Sending-data-from-one-UF-to-other-UF/m-p/403838

https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Configureforwarderswithoutputs.c...

PickleRick
SplunkTrust
SplunkTrust

As I wrote before - that's just one of the possibilities of intepreting OP's request. This way each event would get forwarded to one of the destinations from the group only. It would not get forwarded to every one of them at the same time.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can specify multiple outputs in the outputs.conf file - each event will be sent to all defined outputs. You can also define a load-balancing group there and then the uf will send events in batches to one of the servers from the group. You can combine the approaches and define multiple groups. See the outputs.conf file specification and examples https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Outputsconf

super_saiyan
Communicator

can we transfer the same data from SplunkUF to two different groups?

@PickleRick @mayurr98 

0 Karma

mayurr98
Super Champion

Yes you can but it will hit the license meter twice so you need to cautious about that. 

please see below example

 

[tcpout:uf1]
server = xxx.xxx.xxx.xxx:9997
disabled = false
[tcpout-server://xxx.xxx.xxx.xxx:9997]

[tcpout:uf2]
server=yyy.yyy.yyy.yyy:9997
disabled = false
[tcpout-server://yyy.yyy.yyy.yyy:9997]

.

PickleRick
SplunkTrust
SplunkTrust

It's not that simple. Splunk counts the licence usage based on raw data that is written to indexes so if the data is in any way modified and/or filtered, the license usage may not be straightforward doubled.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I wrote before - if you define multiple output groups, you can have "parallel" output channels so that each event gets forwarded to all of those groups.

0 Karma

super_saiyan
Communicator

thnka you so much for the response.

can you please provide any example stanza  ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...