Configuring forwarding
Forwarding involves configuring the UF to establish connectivity to indexer peers for data transmission. This configuration can be achieved through the outputs.conf file, which contains the required indexer peer details. The Splunk CLI has commands to configure forwarding, which, in turn, writes to the same outputs.conf file.
Indexers can receive the data on the default TCP 9997 port, which must be enabled by system administrators before the connections from forwarders can be accepted. You need to make sure the network is open between the forwarder and indexers. In real-time Splunk deployments, the organization’s network administrator can help establish this. In our scenario, we've set up a standalone Splunk Enterprise instance and a UF to ensure seamless connectivity. This arrangement helps avoid connectivity problems unless port 9997, which needs to be available for listening, is somehow unavailable. Let’s take a look at both the Splunk...
