Splunk Enterprise

Do I need universal forward to do intermediate forwarding on Guest2?

wuming79
Path Finder

Hi,

I am forwarding data from a Nat VM Guest1 to Nat VM Guest2. I have installed universal forwarder to forward data to Guest2 and I can see data coming in. I then set the forwarding rules in splunk instance to forward out to Guest 3.

I noticed Guest 3 saw some data in but I haven't install universal forwarder on Guest2.

Do I actually need to install Universal FOrwarder on Guest2 to do it correctly?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?

If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].

Bye.
Giuseppe

View solution in original post

0 Karma

wuming79
Path Finder

Thanks cusello!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?

If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].

Bye.
Giuseppe

0 Karma

inventsekar
Ultra Champion

from Guest1, do you want to send data to both Guest2 and Guest3?
or
Guest1 to Guest2 and then from Guest2 to Guest3?

maybe, check once - Forward data to third-party systems
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

wuming79
Path Finder

Guest1 to Guest2 and then from Guest2 to Guest3?

Currently in my system\local\ there is no prop.conf nor transform.conf. Do I have to create these files?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...