![]() Once that is established, then you can teach your forwarder what sources of data to collect. getting a forwarder to send data to another Splunk instance (most likely directly to your indexer) requires an nf on the receiving side with stanza, and an nf on the forwarder side with and stanzas.AFTER that relationship is established, the add data > forward option would be available to you. deployment server deployment client relationship allows you to send apps (instruction bundles) to lots of forwards at once.Again, this is completely separate from that add data > forward option you were discussing, which is how you can send remote instructions to your UFs from a central node (deployment server) moving forward. That is going to get your UF to actually be able to send data to your indexer. This can be done multiple ways, but the easiest would be to go to $SPLUNK_HOME\bin on your forwarder and run splunk add forward-server $yourIndexer:9997 There's also really no such thing as adding a receiving forwarder on 9997, my guess is that you simply made your splunk Enterprise instance ready to receive data over 9997.ĮDIT: this next chunk, with the command, was accomplished when you 'added' the forwarder during setup based on the response you gave in the thread above What you also need is your UF to be able to send data to the indexer. The reason that didn't work is that you may have a UF up and ready, but that doesn't mean the same thing as making it a deployment client ready to receive instructions. This is the deployment server deployment client mechanism, and is a completely separate thing than having a forwarder forward info. Add Data > Forward is specifically referencing the way to create an input from your Enterprise GUI, and have those input instructions sent to your remote UF.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |