product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to transfer the search head's internal logs and summary index to the indexer
- release date
- 2019.01.11
- last updated
- 2019.01.11
- version
- Splunk Enterprise 6.2.6, 7.1.4
- Overview
-
- By transferring the index data of the search head to the indexer, it is possible to centrally manage internal logs and summary indexes with the indexer.
- There are two types of configuration methods: configuration from SplunkWeb and configuration file editing.
- There are some caveats with this setting.
-
- You may need to adjust the internal index size depending on your environment.
- This setting transfers all data acquired by the search head.
- Only data generated after configuration will be transferred to the indexer.
- Reference information
-
- How to transfer data from search head to indexer
http://docs.splunk.com/Documentation/Splunk/7.1.4/DistSearch/Forwardsearchheaddata
- How to transfer data from search head to indexer
- content
-
Purpose of setting
By transferring the index data of the search head to the indexer, it is possible to centrally manage the internal logs and summary indexes of the search head and indexer.
Setting method
There are two types of setting methods: setting from the WebGUI and editing the setting file.
○ Setting from WebGUI
【procedure】
- Select "Settings > Forwarding and Receiving" from the upper right of the SplunkWeb screen.
- Select Forwarding Defaults in the Forwarding and Receiving menu.
- Set 'Do you want to copy and store forwarded events locally?' to 'No' and select 'Save'.
- Select the button "Add new" on the right side of "Forwarding settings" in the forwarding and receiving menu.
- A screen for entering the data transfer destination will open, so specify the destination in the host field in the format of "host: port" or "IP: port" and select "Save".
○ Editing the configuration file Change the outputs.conf of the search head as follows.
[Setting example of internal log transfer]
*This is a setting example when distributing data to 3 indexers (Indexer A, B, C).
$SPLUNK_HOME/etc/system/local/outputs.conf[indexAndForward]
index = false
[tcpout]
defaultGroup = test
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:test]
server=<IndexerAのIP>:<受信ポート>,<Indexer BのIP>:<受信ポート>,<Indexer CのIP>:<受信ポート>
autoLB=true*For default installation
$SPLUNK_HOME(Linux) : /opt/splunk
$SPLUNK_HOME(Windows) : C:\Program Files\splunk* To reflect the settings, you need to restart the Splunk service.
example
$SPLUNK_HOME/bin/splunk restartNotes
- Since the search head's internal logs are additionally stored in the indexer, you may need to increase the size of the indexer's internal index (such as _internal) depending on the amount of traffic.
- With this setting, all data to be imported into the search head will be transferred to the indexer. If there is data other than the internal log etc. that is imported to the search head, that data will also be transferred.
- The data to be transferred is only the data added after setting. Data captured before the setting is not transferred to the indexer.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
