Set universal forwarder destination after startup

dadi · ‎03-21-2012

Hi,

I install Splunk Universal Forwarder on a Windows server 2008. The Splunk-Server IP is known only after startup. So i want to set the destination only after windows start, and i want to do it from non-administrator account.
I was able to do it from administrator account (run splunk, set forward-server, restart). But i cant do it from non-administrator account.

Any idea how to do it?

thanks,

Doron

kristian_kolb · ‎03-21-2012

Could you not use the DNS name? /K

MarioM · ‎03-21-2012

you can create/edit outputs.conf in splunk/etc/system/local,as per example:

[tcpout]

## outputs.conf additions
disabled=false
defaultGroup=indexCluster

## For load balanced Splunk Forwarding (enabled by default)
[tcpout:indexCluster]
server=1.1.1.1:9997,2.2.2.2:9997,3.3.3.3:9997
autoLB = true

## For non load balanced lightweight Splunk Forwarding (disabled by default)
#[tcpout:indexCluster]
#server=1.1.1.1:9997

kristian_kolb · ‎03-21-2012

I assume that you are doing this in some sort of test environment, which is fine - but it is probably NOT a good idea to have your Splunk Indexer(s) on DHCP when moving into production.

MarioM · ‎03-21-2012

unfortunately there is no magic without admin rights but as Kristian.kolb mentionned you should use DNS name which you can update with the proper ip

kristian_kolb · ‎03-21-2012

That would require a restart of the splunkd service.

dadi · ‎03-21-2012

thanks. i did that, but than i need to restart the service (right?), and this can't be done without administrator privilages.

Set universal forwarder destination after startup

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes