How to setup Universal Forwarder?

[onlineid]

Hi,

I have setup a Splunk cluster with 3SH, 3IDX on AKS. I use Azure Application Gateway for ingress control. I have also configured the path-based routing in ingress.yaml, now I can login to Splunk web and upload tutorial data for testing.

But there is one issue remain, I don't know how to configure UF to get data into Splunk from other linux server. I can't find the instruction in documents. please advice.

Thanks.

[pogdin]

Hi @onlineid . Please see https://github.com/splunk/splunk-operator/blob/master/docs/Ingress.md#important-notes-on-using-splunk-on-kubernetes That might not answer all of your questions but is the place to start. It will depend on whether you are doing end-to-end encryption or terminating at the gateway.

[onlineid]

@pogdin Thanks for the prompt response, and sorry for my late reply. I have referred the documents you linked above, and successfully setup the UF to get the data into Indexers. Thanks.

[onlineid]

Hi, @pogdin, I would like to confirm the meaning of following description in the document.

"When configuring ingress for use with Splunk Forwarders, the configured ingress load balancer must resolve to two or more IPs. This is required so the auto load balancing capability of the forwarders is preserved."

As my understanding, this means there should be more than one indexers behind configured L/B. Is my understanding correct?

[rajeshvijayarajan]

Not entirely accurate. The multiple indexer pods are sitting behind the indexer-service which is automatically load balanced by k8s within the cluster. The statement above is referring to the external DNS RR you may have to load balance the traffic onto your ingress gateways. Simply put the FQDN:9997 you configure on the forwarders should lookup to different IP addresses (corresponding to the ingress gateways) - this is how you load balance the "edge" of the cluster where the traffic is ingested.

[onlineid]

Hi, @rajeshvijayarajan, thanks for the clarification. I am using Azure internal L/B for UF log forwarding, it seems multiple frontend IP is not supported...Anyway, thanks.

[rajeshvijayarajan]

You can do a simple test, do a nslookup of the FQDN and see if you are getting multiple IPs - if so, there is nothing else for you to do, the splunk forwarder has the ability to multiplex over those IP addresses - i believe it can be configured to do so based on timeslice/volume.

[akondur]

Hi @onlineid , can we go ahead and close the issue?

[onlineid]

Hi, @akondur, thanks. I have closed the issue.