How can I get notifications.log from the Leader Node, and forward them to Splunk?
Install a Splunk UF on the leader or install a Cribl Edge agent on the leader - one of those can forward the leader's logs on
So there is no way to forward it with the help of the Leader?
There would be an option to send it from workers via Splunk HEC though. But trying to see if Cribl Leader is of any help in this matter
Edge is preferred, of course :slightly_smiling_face:
Leaders don't transport data
you can query the API
using REST Collector
Worker -> REST call to Leader -> send results
And if I have more than one Worker, would it result in duplicates?
no. REST Collections are coordinated by ... the leader
Okay. Thanks a lot!
One solution is to create a REST API Collector
Collect URL = `http://leader:9000/api/v1/system/logs/notifications.log`
And in the Authentication use the ' Login ' option to obtain the bearer token
At that point you can forward the data to Splunk