Configure the forwarding servers
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure the forwarding servers
Before you completely deploy Splunk on all your servers, you will want to create various configuration files for one example of each forwarding server class that will then be deployed across all its peers by the deployment server. This will allow you to validate your environment before you push configurations to every machine.
Define server classes
Managing multiple servers is easier if you break your servers up into logical groups. These groups are called server classes. Categorize your machines into server classes by which types of data they are logging. Here are some sample categories:
- OS - group machines by which operating system they are running (linux, solaris9, solaris10, etc)
- Application - group machines by which application they are running (Oracle, weblogic, myproprietaryapp, etc.)
- Location - group machines by physical location
Each machine can be in as many server classes as you wish. More granularity of servers classes means more configuration files for future updates. It may be helpful to keep a spreadsheet of the configuration files you modify.
Inputs
Configure your data inputs locally on one server in each server class using the step-by-step instructions for input configuration. If you've decided that you need to set a custom host for a specific input, you will configure that at this point as well.
Processing properties
You should have already picked which processing properties to configure while deciding how Splunk should index your data. Here is an extensive list of all the settings you can change for your server classes:
- If you would like to create additional indexed fields, please follow the instructions on defining additional fields.
- Please note: You only need to configure search fields at this point. You can set extracted fields later.
- If you need to change how host is assigned, you can either extract host from within the event, or you can dynamically set host from the source.
- You can change timestamp recognition by turning off timestamp lookahead. This is one way to eliminate processing steps.
- If you want to want to change how events are recognized, you will want to set event boundaries.
- To mask sensitive data, you will change the event configuration as it is being processed on input.
- If you have decided to change indexing density, you will want to set up segmenters.conf to specify minor and major breakers.
- Finally you can tune down or eliminate event-type auto-discovery. This is another way to eliminate processing steps.
Continue tweaking these settings until your data appears the way you want both locally and on the central indexer.
Please note: You will only need to set up configurations for event processing. Any custom configuration that happens during indexing or search time will be set up on the receiving servers.
Data distribution
This section refers to the design models outlined in Choose a Deployment Model. You will want to figure out which model works best for your topology, and then follow the links below to configure your server classes.
- If you have decided that you want to set up distributed input, you will want to configure your server classes to enable forwarding. This configuration will allow you to forward all data from the server class to a specific Splunk server.
- If you have decided to set up distributed indexing, you will need to enable data balancing on your server classes. This configuration allows you to federate your data amongst multiple Splunk servers.
- If you have decided to enable data redundancy, you will want to configure your server classes to clone your data. This configuration allows for added redundancy by sending the same event to two or more Splunk servers.
- If you have decided to use partitioning, you will want to set up routing. This configuration will send only the types of data you specify from your server class to your central Splunk servers.
Data policy
You may have decided to set up variable data retention policies for different data. You will want to configure your server classes to forward to servers with matching data retention policies. Use routing to send your data to the correct server.
Authentication
Set up user accounts on each server class. You can set up LDAP, or use Splunk's built-in method. User settings are controlled in auth.conf.
Please note: you must use a consistent authentication method throughout your environment.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.