Setup:
– Splunk Universal Forwarder on a server
– Pointed at a Splunk Enterprise instance that’s configured for receiving and forwarding (yeah, very easy)
– Receiver/Forwarder is pointed at another Splunk Enterprise instance that does the actual indexing
Note, if you have anything in props.conf on your indexer, you will have to put that on the receiver/forwarder. Otherwise it won’t work, and you’ll get the unclean rows. As soon as you put the same props.conf file on the receiver/forwarder instance, all is well again.
Figured I’d share. It could be a bit of a gotcha.
No comments:
Post a Comment