Topics

| pdf version

Getting Started

How Splunk Works

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Granular Access Control

Data Distribution

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure the forwarding servers

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Configure the forwarding servers

Before you completely deploy Splunk on all your servers, you will want to create various configuration files for one example of each forwarding server class that will then be deployed across all its peers by the deployment server. This will allow you to validate your environment before you push configurations to every machine.


Define server classes

Managing multiple servers is easier if you break your servers up into logical groups. These groups are called server classes. Categorize your machines into server classes by which types of data they are logging. Here are some sample categories:


  • OS - group machines by which operating system they are running (linux, solaris9, solaris10, etc)
  • Application - group machines by which application they are running (Oracle, weblogic, myproprietaryapp, etc.)
  • Location - group machines by physical location

Each machine can be in as many server classes as you wish. More granularity of servers classes means more configuration files for future updates. It may be helpful to keep a spreadsheet of the configuration files you modify.


Inputs

Configure your data inputs locally on one server in each server class using the step-by-step instructions for input configuration. If you've decided that you need to set a custom host for a specific input, you will configure that at this point as well.


Processing properties

You should have already picked which processing properties to configure while deciding how Splunk should index your data. Here is an extensive list of all the settings you can change for your server classes:


Continue tweaking these settings until your data appears the way you want both locally and on the central indexer.


Please note: You will only need to set up configurations for event processing. Any custom configuration that happens during indexing or search time will be set up on the receiving servers.


Data distribution

This section refers to the design models outlined in Choose a Deployment Model. You will want to figure out which model works best for your topology, and then follow the links below to configure your server classes.


  • If you have decided that you want to set up distributed input, you will want to configure your server classes to enable forwarding. This configuration will allow you to forward all data from the server class to a specific Splunk server.
  • If you have decided to set up distributed indexing, you will need to enable data balancing on your server classes. This configuration allows you to federate your data amongst multiple Splunk servers.
  • If you have decided to enable data redundancy, you will want to configure your server classes to clone your data. This configuration allows for added redundancy by sending the same event to two or more Splunk servers.
  • If you have decided to use partitioning, you will want to set up routing. This configuration will send only the types of data you specify from your server class to your central Splunk servers.

Data policy

You may have decided to set up variable data retention policies for different data. You will want to configure your server classes to forward to servers with matching data retention policies. Use routing to send your data to the correct server.


Authentication

Set up user accounts on each server class. You can set up LDAP, or use Splunk's built-in method. User settings are controlled in auth.conf.


Please note: you must use a consistent authentication method throughout your environment.

Retrieved from "http://www.splunk.com/base/Documentation/3.1/Admin/ConfigureTheForwardingServers"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.