- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: How to export forwarder configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have installed the forwarder in DC and other server as Indexer.
I do not know how was installed.
I would like to export Forwarder configuration because I have to install a new Forwarder with the same configuration to delete the old one.
What files need to be copied / check?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is usually configured inside the SplunkForwarder app
$SPLUNK_HOME/etc/apps/SplunkForwarder
but it may be that you configured it in a different way...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, thanks.
Is necessary change something in the Indexer server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The indexer needs to have an inputs.conf with [splunktcp://9997] stanza. You can check to see if your indexer is listening with netstat (assuming nix):
~ $ netstat -tnlp | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 24504/splunkd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already have this sentece in inputs.conf.
I supposed that is not needed in the Indexer point to Forwarder...
I see with the comand "netstat -a" something like that:
TCP [IP of indexer]:9997 [IP of forwarder]:62244
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xabidh,
If you want to implement existing configurations from old forwarder to the new one, I suggest you copy the entirety of $SPLUNK_HOME/etc folder. Copying this folders means you copy all installed apps of old forwarder, inputs.conf, outputs.conf, authentication, and other configurations which has previously been defined on the old one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is usually configured inside the SplunkForwarder app
$SPLUNK_HOME/etc/apps/SplunkForwarder
but it may be that you configured it in a different way...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have checked all files inside this folder C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder but I cannot find the file where its configured the indexer. What is the file name where should be contained the IP/name of indexer server?
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check any available outputs.conf on your forwarder
cheers, MuS
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
