I'm trying to set up a test environment to be used in production. Will be taking data from another Splunk heavy forwarder (HF) and sending it to our HF.
Must use UDP to transmit the data.
I have played around with creating the output.conf/input.conf, props.conf, and transforms. But it keeps looking like it's indexing in the first HF, and not getting to the second HF.
I have tested with Netcat that UDP is sent to the other machine (UDP) watching with tcpdump.
Was using UDP:1514 for testing purposes.
If anyone can assist. I can try and add the .conf files, but I think they are all messed up now, that not sure if it would be helpful to post them.
↧