See Default target groups for more information. defaultGroup=indexer1 This tells the forwarder to send all data to the "indexer1" target group.This global stanza includes two attribute/value pairs: Here's an example of a global tcpout stanza: The global stanza for the tcpout procesor is specified with the header. However, there are several attributes that you can set only at the global level, including defaultGroup and indexAndForward. Here you set any attributes that you want to apply globally. For information on the syslog output processor, see Forward data to third-party systems. Note: This discussion focuses on the tcpout processor, which uses the header. For example, if you specify compressed=true for a target group, the forwarder will send the hosts in that target group compressed data, even if compressed is set to "false" for the global level. (Optional) You can specify configuration values for single hosts (receivers) within a target group.Ĭonfigurations at the more specific level take precedence. Most configuration settings can be specified at the target group level. There can be multiple target groups per output processor. A target group defines settings for one or more receiving indexers. (Optional) At the global level, you specify any attributes that you want to apply globally, as well as certain attributes only configurable at the system-wide level for the output processor. You can configure them at three levels of stanzas: There are two types of output processors: tcpout and syslog. (If a copy of the file already exists in that directory, because of configuration changes made through the CLI, just edit that copy.) For purposes of distribution and management simplicity, you can combine settings from all non-default versions into a single custom nf file.Īfter you make changes to nf, you must restart the forwarder for the changes to take effect.įor detailed information on nf, see the nf spec file. A Splunk best practice is to work with just a single copy of the file, which you place in $SPLUNK_HOME/etc/system/local/. In addition to any nf files that you create and edit indirectly (for example, through the CLI), you can also create or edit an nf file directly. For example, if you're working in the search app, Splunk Enterprise creates the file in $SPLUNK_HOME/etc/apps/search/local/. When you enable a heavy/light forwarder through Splunk Web or the CLI, an nf file gets created in the directory of the active app on the instance. The locations of those versions vary, depending on the type of forwarder and other factors. The forwarder automatically creates or edits custom versions of nf in response to the first three methods. By using Splunk Web (on heavy and light forwarders only).While installing the forwarder (on Windows universal forwarder only).There are several ways you can specify forwarding behavior: When you configure forwarding, changes get saved in custom versions of nf. See Configure forwarding with nf in the Universal Forwarder manual.ĭo not touch default versions of any configuration files, for reasons explained in About configuration files. The universal folder has two default nf files. Splunk Enterprise ships with a single default nf file, located in $SPLUNK_HOME/etc/system/default. No matter how many nf files the forwarder has and where they reside, the forwarder combines all their settings, using the rules of location precedence, as described in Configuration file precedence in the Admin Manual. For details on configuring inputs, see Add data and configure inputs in Getting Data In.Ī single forwarder can have multiple nf files (for instance, one located in an apps directory and another in /system/local). To specify what data the forwarder should collect, you must separately configure the inputs. The topics describing various topologies, such as load balancing and data routing, provide detailed examples on configuring nf to support those topologies.Īlthough nf is a critical file for configuring forwarders, it only addresses where the forwarder should send data. While you can specify some output configurations through Splunk Web (heavy/light forwarders only) or the CLI, most advanced configuration settings require that you edit nf. The nf file defines how forwarders send data to receivers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |