All,
Just setting up a deploy server for the first time here. I have my universal forwarder connecting into the deploy server just fine. But how do I push doen the config to tell the UF to send it's data to the indexing tier?
Is there a template app someone can point me too?
You need to deploy at minimum an outputs.conf file with contents something like:
[tcpout]
defaultGroup = primary_indexers
[tcpout:primary_indexers]
server = server_one:9997, server_two:9997
You need to deploy at minimum an outputs.conf file with contents something like:
[tcpout]
defaultGroup = primary_indexers
[tcpout:primary_indexers]
server = server_one:9997, server_two:9997
Worked like a charm!
In Splunk 6, you will find the instructions for setting up forwarder management in the Updating Splunk Enterprise Instances manual.
Since you have the UF connecting to the deployment server, you can probably start with the section: Create deployment apps