Getting Data In

UniversalForwarder and Splunk 4.2.x on Search Head

beaumaris
Communicator

How would you deploy 4.2.1 Splunk and Universal Forwarder on a Search Head node that is doing distributed search and also has the *Nix application installed as well? Both the Universal Forwarder and the Splunk deployments use the same daemon name ‘splunkd’. I am deploying UF as a system image along with Splunk for the Search Head. When starting UF I get the message that mgmt port 8089 is already bound. Should I just assign the UF mgmt port to another value? How do I get UF and splunk to co-exist on the SHD? Am I correct in assuming that I will need the UF on the SHD to forward *Nix stats to my Indexer? What recommendations would you make for this configuration?

0 Karma

Paolo_Prigione
Builder

You won't need the UF to forward to the indexers, that can be done by the SH itself if you configure it from the Manager's forwarding/receiving configuration panel:

  • you might want to set "index and forward" to false in the "Forwarding defaults" page (no indexing happening on the SH)
  • You'll then need to add a forward server by specifying your indexer's dns name and 9997 port (if you are using default configs)

You'll also need to create the "os" index on the indexer as those data won't be stoerd on the SH anymore.

Also, override the default system/default/outputs.conf configuation in case you want to ship your SH splunk logs to the indexer as well (index=_intenal is not forwarder by default). But that is another topic...

0 Karma

namanjoshi
Explorer

Running the UF on another port should do the trick I think. Just add the following to ${SPLUNK_HOME}/etc/system/local/web.conf :

[settings]
mgmtHostPort = 127.0.0.1:8088
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...