We have updated our Terms of Service, Code of Conduct, and Addendum.

Config for Splunk Universal Forwarder

Matt Feeley
Matt Feeley Posts: 2
edited July 2023 in General Discussions

Does anyone have a splunk universal forwarder config they typically use for forwarding?

Original Question: https://cribl-community.slack.com/archives/CPYBPK65V/p1690293855973699

Original Author: Matt

Tagged:

Best Answer

  • Jon Rust
    Jon Rust Posts: 445 mod
    edited July 2023 Answer ✓

    Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the splunk output group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like 000criblout).

    [tcpout]
    # clone the stream to both cribl and splunk, but don't block if one is down
    defaultGroup   = splunk,cribl_stream
    blockOnCloning = false
    
    [tcpout:cribl_stream]
    # sending to "default" WG in cloud with TLS enabled
    server         = default.main.<instance>.cribl.cloud:9997
    sendCookedData = true
    sslRootCAPath  = $SPLUNK_HOME/etc/auth/cacert.pem
    useSSL         = true
    

Answers

  • Jon Rust
    Jon Rust Posts: 445 mod
    edited July 2023 Answer ✓

    Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the splunk output group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like 000criblout).

    [tcpout]
    # clone the stream to both cribl and splunk, but don't block if one is down
    defaultGroup   = splunk,cribl_stream
    blockOnCloning = false
    
    [tcpout:cribl_stream]
    # sending to "default" WG in cloud with TLS enabled
    server         = default.main.<instance>.cribl.cloud:9997
    sendCookedData = true
    sslRootCAPath  = $SPLUNK_HOME/etc/auth/cacert.pem
    useSSL         = true
    

  • Matt Feeley
    Matt Feeley Posts: 2

    Thanks for the starter. Was curious about a standard other folks might follow i was unaware of. super helpful either way

  • Jon Rust
    Jon Rust Posts: 445 mod

    I like the above method because I can drop this into a Deployment Server, create a new server class for it, and assign a subset of forwarders to it easily. No change in your default apps. To revert, just remove the servers from the ServerClass. Presto-change-oh, back to normal.

  • Paul Dott
    Paul Dott Posts: 33 ✭✭
    edited July 2023

    The approach is somewhat documented here as well https://docs.cribl.io/stream/sources-splunk/#config-splunk-fwd