I'm a brand new Splunk user. I've seen you can have just an Enterprise install, no forwarders, monitoring local data only (off-topic to expand on the "only"). Since the single install handles search head & indexer duties (right?), I've been trying to install a forwarder on the same Enterprise box but can't get it to connect. I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.
If a forwarder does need an indexer, could the indexer & forwarder be on the same machine? I'd tend to think yes but then again...
Thanks!
-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.
For that you better start with I can't find my data!
If we look at -
We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.
You can also see the Splunk Universal Forwarder "Forwarder Manual" and the "How to forward data to Splunk Enterprise" section at http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/HowtoforwarddatatoSplunkEnterprise. The steps are listed 1-7 at the top of the topic, and you can scroll down for individual configuration steps/info.
-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.
For that you better start with I can't find my data!
If we look at -
We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.
The Splunk enterprise installation can also be a heavy forwarder.
A Splunk enterprise instance is able to read log files and run scripts just like a universal forwarder, so in this case your installation will be the indexer & search head (note these are just descriptions of what role the installation is playing, it is the same enterprise installation of Splunk), the indexer is able to ingest logs from the local machine or via shares/scripts.
In the scenario you are describing it would not make sense to install a universal forwarder on the same machine, you would want to install the universal forwarder on a remote machine you need to obtain logs from and then you send the logs to your indexer.