Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does a forwarder need to connect through an indexer?

smellpit
Explorer
‎12-24-2016 03:26 PM

I'm a brand new Splunk user. I've seen you can have just an Enterprise install, no forwarders, monitoring local data only (off-topic to expand on the "only"). Since the single install handles search head & indexer duties (right?), I've been trying to install a forwarder on the same Enterprise box but can't get it to connect. I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

If a forwarder does need an indexer, could the indexer & forwarder be on the same machine? I'd tend to think yes but then again...

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎12-25-2016 08:12 AM

-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

For that you better start with I can't find my data!

If we look at -

alt text

We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎01-03-2017 02:59 PM

You can also see the Splunk Universal Forwarder "Forwarder Manual" and the "How to forward data to Splunk Enterprise" section at http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/HowtoforwarddatatoSplunkEnterprise. The steps are listed 1-7 at the top of the topic, and you can scroll down for individual configuration steps/info.

Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎12-25-2016 08:12 AM

-- I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection.

For that you better start with I can't find my data!

If we look at -

alt text

We can see the Splunk tiers. The forwarders, universal and heavy can be anywhere as long as long as they can interact with the index tier.

Preview file
1 KB
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-25-2016 03:20 AM

The Splunk enterprise installation can also be a heavy forwarder.

A Splunk enterprise instance is able to read log files and run scripts just like a universal forwarder, so in this case your installation will be the indexer & search head (note these are just descriptions of what role the installation is playing, it is the same enterprise installation of Splunk), the indexer is able to ingest logs from the local machine or via shares/scripts.

In the scenario you are describing it would not make sense to install a universal forwarder on the same machine, you would want to install the universal forwarder on a remote machine you need to obtain logs from and then you send the logs to your indexer.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...