Fortytwo - Answer to the Ultimate Question of Life, the Universe, and Everything

User Tools

Site Tools

Trace:
splunk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
splunk [2023/11/29 16:56] – [Configure Receiver to receive data] baumisplunk [2024/01/11 09:41] (current) baumi
Line 1: Line 1:
-====== Splunk on Linux ======+====== Splunk Installation ======
  
-===== Install Indexer / Heavy Forwarder =====+==== Install Indexer / Heavy Forwarder ====
 <code> <code>
-sudo useradd -m -d /opt/splunk splunk && \ +sudo useradd -m -d /opt/splunk -s /bin/bash -U splunk && \
-sudo chsh -s /bin/bash splunk && \+
 sudo tar xzvf ~/splunk.tgz -C /opt && \ sudo tar xzvf ~/splunk.tgz -C /opt && \
 sudo chown -R splunk:splunk /opt/splunk && \ sudo chown -R splunk:splunk /opt/splunk && \
Line 10: Line 9:
 </code> </code>
  
-===== Configure Receiver to receive data =====+==== Configure Receiver to receive data ====
 https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Enableareceiver https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Enableareceiver
 <code> <code>
Line 16: Line 15:
 export password=password export password=password
 export port=9997 export port=9997
-sudo su -c "/opt/splunk/bin/splunk enable listen ${port} -auth ${user}:${password}+sudo su -c "/opt/splunk/bin/splunk enable listen ${port} -auth ${user}:${password}" splunk
 </code> </code>
  
-===== Set-Up Forwarding =====+==== Set-Up Forwarding ====
 https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Deployaheavyforwarder https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Deployaheavyforwarder
 <code> <code>
Line 28: Line 27:
 sudo su -c "/opt/splunk/bin/splunk enable app SplunkForwarder -auth ${user}:${password}" splunk && \ sudo su -c "/opt/splunk/bin/splunk enable app SplunkForwarder -auth ${user}:${password}" splunk && \
 sudo su -c "/opt/splunk/bin/splunk restart" splunk && \ sudo su -c "/opt/splunk/bin/splunk restart" splunk && \
-sudo su -c "splunk add forward-server ${host}:${port} -auth ${user}:${password} && \+sudo su -c "splunk add forward-server ${host}:${port} -auth ${user}:${password}" splunk && \
 sudo su -c "/opt/splunk/bin/splunk restart" splunk sudo su -c "/opt/splunk/bin/splunk restart" splunk
 </code> </code>
 +==== Forward to more than one destinations ====
 +/opt/splunk/etc/system/local/outputs.conf
 +<file text outputs.conf>
 +[tcpout]
 +defaultGroup = group1,group2
 +indexAndForward = 0
  
-===== Universal Forwarder =====+[tcpout:group1] 
 +disabled false 
 +server = receiver1:9997 
 + 
 +[tcpout:group2] 
 +disabled = false 
 +server = receiver2:9997 
 +</file> 
 + 
 +==== Universal Forwarder ====
 <code> <code>
-useradd -m -d /opt/splunkforwarder splunkfwd && \ +useradd -m -d /opt/splunkforwarder -s /bin/bash -U splunkfwd && \
-chsh -s /bin/bash splunkfwd && \+
 sudo tar xzvf ~/splunk-forwarder.tgz -C /opt && \ sudo tar xzvf ~/splunk-forwarder.tgz -C /opt && \
 sudo chown -R splunkfwd:splunkfwd /opt/splunkforwarder && \ sudo chown -R splunkfwd:splunkfwd /opt/splunkforwarder && \
Line 41: Line 54:
 </code> </code>
  
-{{tag>linux splunk}}+{{tag>kb linux splunk}}
splunk.1701273388.txt.gz · Last modified: by baumi
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki