- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What's the significance of "add forward-server" on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the significance of "add forward-server" on the universal forwarders?
what's the significance of the add forward-server statement?
splunk add forward-server <host>:<port> -auth <username>:<password>
i'm documenting the forwarder install for some admins to read, and we previously had this step in there for a standalone deployment. i think we'll remove it though with our new distributed deployment.
according to the Answers and Docs it's optional, and i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed. it's just difficult for me to follow some of the docs because terminologies are used interchangeably and it sometimes becomes unclear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a super old thread but I was wondering if you could clarify:
i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed.
Do you have some documentation on this process?
Any help is appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The CLI command in question is used to configure receiving endpoint on Universal Forwarder. More info is available here. I am not sure if this is what you're looking for, but this definitely is a good starting point.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thankyou for the reply but i am specifically asking about hardcoding the indexer addresses in a forwarder package
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case, you have to include outputs.conf with below settings, in your forwarder package.
## Syntax
[tcpout-server://<ip address>:<port>]
## Example
[tcpout-server://1.1.1.1:9997]
OR
##Syntax:
[tcpout:<target_group>]
server = [<ip>|<servername>]:<port>
##Example:
[tcpout:prod_indexer_group]
server = https://yourIndexer1:9997, https://yourIndexer2:9997
Please have a look at my other answer for more details on above settings. HTH!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The purpose of this CLI command is to add an indexer (or heavy forwarder) to outputs.conf - in a basic setup this is the CLI way to tell your forwarder where to forward to.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
