Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk heavy forwarding, how to index logs on receiving end

balajivs
New Member
‎10-26-2021 02:53 AM

Hi,
I have configured Splunk heavy forwarder in 2 machines. I want to send logs from one machine to another and expect the receiver to store all the received logs in an index called "receivedlogs".  

This is the video I followed to configure Splunk: https://www.youtube.com/watch?v=S4ekkH5mv3E&t=454s&ab_channel=Splunk%26MachineLearning

Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2021 03:15 AM

Hi @balajivs,

let me understand:

  • you have two machines, both configured as Heavy Forwarders (HF1 and HF2),
  • HF1 has to send logs to HF2, is it correct?
  • I can suppose that you have also at least another machine configured as Indexer that will finally receive logs, is it correct?
  • Does HF2 locally stores a copy of data or does it forwards all the data to the Indexer?

Anyway, if HF1 locally inputs logs, you can configure the index in the inputs.conf file.

If instead HF1 receive and forwards logs, you have to configure selective indexing and forwarding in HF1 as described at  https://docs.splunk.com/Documentation/Splunk/8.2.2/Forwarding/Routeandfilterdatad#Perform_selective_...

Ciao.

Giuseppe

0 Karma
Reply

balajivs
New Member
‎10-26-2021 04:25 AM

Hi @gcusello ,
On machine 1 have configured inputs.conf such a way that it will monitor locally stored logs. The output.conf is configured to send those locally stored logs to machine 2's port 9997. Machine 2 is listening to port 9997 and it by default stores the logs received on index "main".
I want to store logs received from 9997 port to a specific index called "receivedlogs". I tried going through the documentation you mentioned but I was unable to find a proper solution.

Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2021 04:37 AM

Hi @balajivs,

I try to translate:

  • HF1 is the log source,
  • if you have only to take logs, you don't need an Heavy Forwarder (that as it's named it's an heavy monitoring systema), probably you could use an Universal Forwarder that's lighter;
  • HF2, isn't an Heavy Forwarder but an Indexer.

Now, you have two choices to define the index:

  • on the first machine, you could insert the index definition in the inputs;
  • on the second machine, you could use the selective indexing I described in my previous answer.

I hint to define index in the first machine, you can do this in many ways:

  • editing inputs.conf on the first machine and adding "index = receivedlogs" in the stanza related to the log input;
  • otherwise, you can open the web gui at the page you used to configure input and in the middle of the window there's a field "index" where you can define the index to store logs, if you don't see the index listed in the dropdown, you have to use the other solution or create a local empty index with the same name.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-26-2021 04:48 AM

Also, correct me if I'm wrong, if OP choses to write the messages localy to an index on the indexer and also forward the to another splunk instance where they will get separately indexed, the indexed events will consume the license twice - once on the intermediate indexer, once on the destination indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...