- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to setup forwarder details in inputs.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to setup forwarder details in inputs.conf?
I have existing Universal Forwarder setup for our prod Splunk Enterprise instance. Now, I am trying to setup a dev Splunk instance. I would like to receive data from the same forwarder which is already being used to provide data to prod instances.
I have set the receiver port in my new Splunk instance(lets say host ip as 10.99.1.123) as 9997. And added the same to tcpout servers list as 10.99.1.123:9997 in outputs.conf file of our universal forwarder.
But I am not able to find how to specify the forwarder details in inputs.conf file in my newly created Splunk instance.
Please let me know if the above process is correct and how to setup the inputs.conf file in order to receive data from the Universal Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
outputs.conf
[tcpout:c]
server=server1:9997
[tcpout:d]
server=server2:9997
inputs.conf
[monitor://path/file1.log]
_TCP_ROUTING = c
[monitor://path/file2.log]
_TCP_ROUTING = d
http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-- But I am not able to find how to specify the forwarder details in inputs.conf file in my newly created Splunk instance.
On the indexer all that you need to do is to specify the receiving port in inputs.conf -
[splunktcp://9997]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw, if you already here, you might consider increasing the splunktcpin queue from its default of 512 KB to something more substantial - we set it up to 1 GB in dev and close to 3 GBs in prod.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You basically want to clone the data (get same data to DEV instance that you get in prod right now) OR you've some different set of files/directories that you want to monitor for DEV instance??
In both cases, you'd need to update your outputs.conf and inputs.conf for routing the data appropriately and would need a read to this very useful doc:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad#Configure_routing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You configure (actually, just check, it should be there by default) inputs.conf on your Indexer to listen on 9997. You then configure outputs.conf on your forwarder to send to the Indexer. Then you also configure inputs.conf on your forwarder, probably with [monitor://...] stanza, to tell it what to send to the Indexer. Then you restart splunk everywhere and enjoy.
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
