Hi,
I am forwarding data from a Nat VM Guest1 to Nat VM Guest2. I have installed universal forwarder to forward data to Guest2 and I can see data coming in. I then set the forwarding rules in splunk instance to forward out to Guest 3.
I noticed Guest 3 saw some data in but I haven't install universal forwarder on Guest2.
Do I actually need to install Universal FOrwarder on Guest2 to do it correctly?
Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?
If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].
Bye.
Giuseppe
Thanks cusello!
Hi wuming79,
let me understand: you installed Forwarder on Guest1 and it sends logs to a Splunk Enterprise on Guest2.
Now you want to forward logs from Guest 2 to Guest3 where there is another Splunk Enterprise instance, correct?
If this is your need, you don't need a Universal Forwarder on Guest2, you can use Splunk Enterprise on Guest2 to forward logs to another Splunk Enterprise (it's an Heavy Forwarder).
To set it use Splunk web [Settings -- Forwarding and receiving -- Forwarding].
Bye.
Giuseppe
from Guest1, do you want to send data to both Guest2 and Guest3?
or
Guest1 to Guest2 and then from Guest2 to Guest3?
maybe, check once - Forward data to third-party systems
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd
Guest1 to Guest2 and then from Guest2 to Guest3?
Currently in my system\local\ there is no prop.conf nor transform.conf. Do I have to create these files?