- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Configure a Receiver to Forward to itself
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure a Receiver to Forward to itself
Hey there,
What is the best way (if any) to configure the Receiver host to accept forwarded data from itself? I thought it would be as easy as configuring the host as a receive and then forwarding data to itself from the forwarding configuration. But this does not seem to work.
Any advice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response(s).
Basically, I wanted to make my splunk receiver a cron server as well. And I would like the output of the local cron scripts to be received and indexed by the local splunk listener.
I had set up the splunk server to listen on port 9997 then also configured it to forward to itself on that port. I then configured a local test script to run every 30 seconds through the splunk manager but found that the output of the script was not getting captured by the splunk server.
Is there a better way to do something like this than what I had understood?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @lukejadamec. Probably better to just read local files as ... local files, i.e. have a mixture of [monitor] and [splunktcp] stanzas in the inputs.conf files on the Indexer. In theory, you could install a Forwarder on the same machine as the Indexer, to send the output to localhost:9997 (or whatever port you are using), but that seems ... unnecessary.
Again, what is the use case?
UPDATE:
The best way - from the way it sounds - is to just monitor the file that is created by the script.
inputs.conf (on the indexer)
[monitor:///path/to/file]
index = your_index
sourcetype = your_sourcetype
See these sections of the docs;
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories
http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirslocal
http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal
hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In what use case?
What do you want Splunk to do with the data after it sends it to itself?
Indexers are receivers, so there is no reason to send it in a loop.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
