Differences

This shows you the differences between two versions of the page.

--- splunk [2023/12/22 07:32] – [Universal Forwarder] baumi
+++ splunk [2024/01/11 09:41] (current) – baumi
@@ Line 1: / Line 1: @@
-====== Splunk on Linux ======
+====== Splunk Installation ======
-===== Install Indexer / Heavy Forwarder =====
+==== Install Indexer / Heavy Forwarder ====
 <code>
-sudo useradd -m -d /opt/splunk splunk && \
+sudo useradd -m -d /opt/splunk -s /bin/bash -U splunk && \
-sudo chsh -s /bin/bash splunk && \
 sudo tar xzvf ~/splunk.tgz -C /opt && \
 sudo chown -R splunk:splunk /opt/splunk && \
@@ Line 10: / Line 9: @@
 </code>
-===== Configure Receiver to receive data =====
+==== Configure Receiver to receive data ====
 https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Enableareceiver
 <code>
@@ Line 19: / Line 18: @@
 </code>
-===== Set-Up Forwarding =====
+==== Set-Up Forwarding ====
 https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Deployaheavyforwarder
 <code>
@@ Line 31: / Line 30: @@
 sudo su -c "/opt/splunk/bin/splunk restart" splunk
 </code>
+==== Forward to more than one destinations ====
+/opt/splunk/etc/system/local/outputs.conf
+<file text outputs.conf>
+[tcpout]
+defaultGroup = group1,group2
+indexAndForward = 0
-===== Universal Forwarder =====
+[tcpout:group1]
+disabled = false
+server = receiver1:9997
+[tcpout:group2]
+disabled = false
+server = receiver2:9997
+</file>
+==== Universal Forwarder ====
 <code>
 useradd -m -d /opt/splunkforwarder -s /bin/bash -U splunkfwd && \
@@ Line 40: / Line 54: @@
 </code>
-{{tag>linux splunk}}
+{{tag>kb linux splunk}}