sudo useradd -m -d /opt/splunk -s /bin/bash -U splunk && \ sudo tar xzvf ~/splunk.tgz -C /opt && \ sudo chown -R splunk:splunk /opt/splunk && \ sudo su -c "/opt/splunk/bin/splunk start --accept-license" splunk
https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Enableareceiver
export user=user
export password=password
export port=9997
sudo su -c "/opt/splunk/bin/splunk enable listen ${port} -auth ${user}:${password}" splunk
https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Deployaheavyforwarder
export user=user
export password=password
export host=indexer
export port=9997
sudo su -c "/opt/splunk/bin/splunk enable app SplunkForwarder -auth ${user}:${password}" splunk && \
sudo su -c "/opt/splunk/bin/splunk restart" splunk && \
sudo su -c "splunk add forward-server ${host}:${port} -auth ${user}:${password}" splunk && \
sudo su -c "/opt/splunk/bin/splunk restart" splunk
/opt/splunk/etc/system/local/outputs.conf
[tcpout] defaultGroup = group1,group2 indexAndForward = 0 [tcpout:group1] disabled = false server = receiver1:9997 [tcpout:group2] disabled = false server = receiver2:9997
useradd -m -d /opt/splunkforwarder -s /bin/bash -U splunkfwd && \ sudo tar xzvf ~/splunk-forwarder.tgz -C /opt && \ sudo chown -R splunkfwd:splunkfwd /opt/splunkforwarder && \ sudo /opt/splunkforwarder/bin/splunk start --accept-license