Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
In Splunk, to forward internal logs from a search head to an indexer, the correct configuration file to modify is outputs.conf. This file is used to configure the forwarding of data from one Splunk instance to another, specifying the target indexers. Input configurations, such as inputs.conf, are used to define and monitor data inputs but are not specifically used for forwarding internal Splunk logs. Therefore, outputs.conf is the appropriate choice for this task.
C is correct. https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata
Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."
Friends, could you please confirm this answer?
In outputs.conf: [tcpout] defaultGroup = indexers1 [indexAndForward] index=false [tcpout:indexers1] server = 10.1.1.197:9997, 10.1.1.200:9997
This community usually gets these questions right, but I'm surprised by how many are putting the wrong answer. The correct answer is C. See the link in hwangho's post. Search heads, and all Splunk instances, already have inputs built to read internal logs by default. They just need an outputs.conf to create a tcpout stanza to your indexers to get them to send their internal logs, which is what this question is asking about. In our Splunk environment we have NEVER set up an inputs for internal logs, we only deploy an outputs.conf with our indexers listed in a tcpout stanza, and we get all of our internal logs just fine. If you had other logs on a search head (like from a script or something), then yes, you would need an inputs.conf to get those to be read. But that is definitely not what this question is asking about.
B for sure. inputs.conf allows you to define data inputs that the Splunk instance should monitor and forward to indexers. Use monitor stanza specifying the path to log files and destination indexer’s host name, port. Stanza Sample [monitor:///opt/splunk/var/log/splunk] Index = _internal Soucetype = Splunkd Disabled = false _TCP_ROUTING = indexer_group
he correct answer is B. inputs.conf is used to configure the inputs on a Splunk instance, including forwarding data from one instance to another. In this case, to forward the Splunk internal logs from a search head to the indexer, you would need to add a stanza to inputs.conf on the search head that specifies the indexer as the destination for the logs. The props.conf file is used to configure how data is processed after it has been indexed, outputs.conf is used to configure the destination of data for specific stanzas, and collections.conf is used for managing data in collections.
Just for a little clarification, configuring the sh as a forwarder using outputs.conf does not necessarily tell the sh to send a certain type of data that you would use inputs.conf for. However, this is talking about _internal, which I believe is data that is sent by default, without the need for inputs.conf. Please correct me if I am wrong here