Config for Splunk Universal Forwarder
Does anyone have a splunk universal forwarder config they typically use for forwarding?
Original Question: https://cribl-community.slack.com/archives/CPYBPK65V/p1690293855973699
Original Author: Matt
Best Answer
-
Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the
splunkoutput group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like000criblout).[tcpout] # clone the stream to both cribl and splunk, but don't block if one is down defaultGroup = splunk,cribl_stream blockOnCloning = false [tcpout:cribl_stream] # sending to "default" WG in cloud with TLS enabled server = default.main.<instance>.cribl.cloud:9997 sendCookedData = true sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem useSSL = true
2
Answers
-
Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the
splunkoutput group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like000criblout).[tcpout] # clone the stream to both cribl and splunk, but don't block if one is down defaultGroup = splunk,cribl_stream blockOnCloning = false [tcpout:cribl_stream] # sending to "default" WG in cloud with TLS enabled server = default.main.<instance>.cribl.cloud:9997 sendCookedData = true sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem useSSL = true
2 -
Thanks for the starter. Was curious about a standard other folks might follow i was unaware of. super helpful either way
0 -
I like the above method because I can drop this into a Deployment Server, create a new server class for it, and assign a subset of forwarders to it easily. No change in your default apps. To revert, just remove the servers from the ServerClass. Presto-change-oh, back to normal.
0 -
The approach is somewhat documented here as well
0
