Solved: Re: Splunk Stream change of heavy forwarder

_daver · ‎07-21-2019

Hi

I am running Splunk Stream in a SplunkCloud environment. I have a heavy fowarder (say hf01) that has stream app installed and it communicates with the splunk fowardwarders where Stream TA is running and pushes the latest config.

I have changed the heavy forwarder that has stream app installed from hf01 to hf03. How can I let my UF's know that now check hf03 instead of hf01 for configurations?

nabeel652 · ‎07-22-2019

On all of your UF's (either manually or through config manager/deployment server) change the splunk_stream_app_location to new heavy forwarder. It should look like this:

[streamfwd://streamfwd]
splunk_stream_app_location = http://hf03:8000/en-US/custom/splunk_app_stream/
stream_forwarder_id = <Your fwdr id>
disabled = false

View solution in original post

nabeel652 · ‎07-22-2019

On all of your UF's (either manually or through config manager/deployment server) change the splunk_stream_app_location to new heavy forwarder. It should look like this:

[streamfwd://streamfwd]
splunk_stream_app_location = http://hf03:8000/en-US/custom/splunk_app_stream/
stream_forwarder_id = <Your fwdr id>
disabled = false

nabeel652 · ‎07-22-2019

BTW the location of the file would be:

[SPLUNK_HOME]/etc/apps/splunk_TA_stream/local/inputs.conf

_daver · ‎07-22-2019

Thanks @nabeel652
That worked!

Splunk Stream change of heavy forwarder

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases