Solved: Can a Universal Forwarder be used to forward index...

Ryan_Beck · ‎11-10-2016

Hello. I'm fairly new to Splunk and am working on configuring a Splunk infrastructure. If I have one search head server and one indexer server, any data that is indexed on the search head server should be forwarded to the indexer server. I see that there are Splunk documents that show to change the outputs.conf file to accomplish this.

However, instead of changing the outputs.conf file, could I install a universal forwarder on the search head server and use the universal forwarder to forward all indexed data to the indexer server?

I would appreciate any insight.

sk314 · ‎11-10-2016

The search head is full Splunk Enterprise instance and includes ALL features including the forwarder features. You do not have to install a forwarder additionally. Use the outputs.conf settings to forward the data. It's a best practice. This helps you analyze the internal logs even if your search head is down.

For Reference: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

View solution in original post

sk314 · ‎11-10-2016

The search head is full Splunk Enterprise instance and includes ALL features including the forwarder features. You do not have to install a forwarder additionally. Use the outputs.conf settings to forward the data. It's a best practice. This helps you analyze the internal logs even if your search head is down.

For Reference: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

Ryan_Beck · ‎11-14-2016

Ok I see, that makes sense and clarifies things. Thank you for your reply and the information that you provided!

Can a Universal Forwarder be used to forward indexed data on a search head to an indexer?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!