Project requirements : the server A: 192.168.149.200 forward the file under a path to the server in the B: 192.168.149.100 in
Implementation : A is installed on a server Enterprise splunk (splunk carrying heavy repeater function) or a universal splunk repeater (splunkforwarder), mounted in a splunk Enterprise On Server B, for receiving a file from the forwarding A data, and indexes. Transponder configuration substantially the same, the focus of the following about how to configure the repeater (to splunk Enterprise, for example).
Implementation steps :
1. Splunk Enterprise, are mounted on mounting methods A and B: splunk.tar.gz upload files to a server in the path, and can extract (eg: installation path is / var / Splunk)
2 . receiving port disposed on the receiving server B: settings - forwarding and receiving - configured to receive a - added, as shown below
Configure the default receiving port: 9997, after the configuration is as follows:
3. forwarding deployed in repeater A, as the server A forwards the log path in / var / logs / csv file into the index the following csv_log Server B (now need to establish the index B) is
related to the profile there are two: /var/splunk/etc/system/local/inputs.conf and /var/splunk/etc/system/local/outputs.conf
(. 1) outputs.conf configuration is as follows:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.149.100:9997 #转发的目的地址和端口
[tcpout-server://192.168.149.100:9997]
(2) inputs.conf configuration is as follows:
[default]
host = box #此处为默认的,服务器的名字
[monitor:///tmp/logs/*.csv] #转发日志的路径,这里可以是个具体的文件,也可以包含通配符
sourcetype = csv #来源类型,也可以不设置,默认自动根据日志匹配
index = csv_log #转发到B中的索引名
注意:上面三行是一个整体,如果有多个需求,比如将不同路径下的文件转发到B中不同的索引中,可以复制最后三行,修改后追加即可。
[monitor://xxx]
sourcetype = xxx
index = xxx
.....
[monitor://xxx]
sourcetype = xxx
index = xxx
4. After the configuration, to restart splunk