Skip to main content
Solved

Config for Splunk Universal Forwarder

  • March 11, 2025
  • 4 replies
  • 11 views
M

Does anyone have a splunk universal forwarder config they typically use for forwarding?

Original Question: https://cribl-community.slack.com/archives/CPYBPK65V/p1690293855973699

Original Author: Matt

Best answer by Jon Rust

Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the splunk output group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like 000criblout).

[tcpout]# clone the stream to both cribl and splunk, but don't block if one is downdefaultGroup  = splunk,cribl_streamblockOnCloning = false[tcpout:cribl_stream]# sending to "default" WG in cloud with TLS enabledserver  = default.main.<instance>.cribl.cloud:9997sendCookedData = truesslRootCAPath  = $SPLUNK_HOME/etc/auth/cacert.pemuseSSL  = true

    4 replies

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • Answer
    • March 11, 2025

    Really depends on the details, but here's a starting point. This would be in a new app's outputs.conf. the splunk output group is assumed to be in your your existing configs. The app name should be higher precedence than the existing (something like 000criblout).

    [tcpout]# clone the stream to both cribl and splunk, but don't block if one is downdefaultGroup  = splunk,cribl_streamblockOnCloning = false[tcpout:cribl_stream]# sending to "default" WG in cloud with TLS enabledserver  = default.main.<instance>.cribl.cloud:9997sendCookedData = truesslRootCAPath  = $SPLUNK_HOME/etc/auth/cacert.pemuseSSL  = true
    M
    • Matt Feeley
    • Author
    • New Participant
    • March 11, 2025

    Thanks for the starter. Was curious about a standard other folks might follow i was unaware of. super helpful either way

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    I like the above method because I can drop this into a Deployment Server, create a new server class for it, and assign a subset of forwarders to it easily. No change in your default apps. To revert, just remove the servers from the ServerClass. Presto-change-oh, back to normal.

    P
    • Paul Dott
    • Known Participant
    • March 11, 2025

    The approach is somewhat documented here as well https://docs.cribl.io/stream/sources-splunk/#config-splunk-fwd

    Terms & ConditionsAccessibility statement