Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder.
"Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."
The correct answer is C. This question is assuming that the indexer is already configured for listening, you are only configuring the search head to forward data to the indexer, in which case you only need to modify the outputs.conf on the search head.
This community usually gets these questions right, but I'm surprised by how many are putting the wrong answer. The correct answer is C. See the link in hwangho's post. Search heads, and all Splunk instances, already have inputs built to read internal logs by default. They just need an outputs.conf to create a tcpout stanza to your indexers to get them to send their internal logs, which is what this question is asking about. In our Splunk environment we have NEVER set up an inputs for internal logs, we only deploy an outputs.conf with our indexers listed in a tcpout stanza, and we get all of our internal logs just fine.
If you had other logs on a search head (like from a script or something), then yes, you would need an inputs.conf to get those to be read. But that is definitely not what this question is asking about.
B for sure. inputs.conf allows you to define data inputs that the Splunk instance should monitor and forward to indexers.
Use monitor stanza specifying the path to log files and destination indexer’s host name, port.
Stanza Sample
[monitor:///opt/splunk/var/log/splunk]
Index = _internal
Soucetype = Splunkd
Disabled = false
_TCP_ROUTING = indexer_group
he correct answer is B. inputs.conf is used to configure the inputs on a Splunk instance, including forwarding data from one instance to another. In this case, to forward the Splunk internal logs from a search head to the indexer, you would need to add a stanza to inputs.conf on the search head that specifies the indexer as the destination for the logs. The props.conf file is used to configure how data is processed after it has been indexed, outputs.conf is used to configure the destination of data for specific stanzas, and collections.conf is used for managing data in collections.
Just for a little clarification, configuring the sh as a forwarder using outputs.conf does not necessarily tell the sh to send a certain type of data that you would use inputs.conf for. However, this is talking about _internal, which I believe is data that is sent by default, without the need for inputs.conf. Please correct me if I am wrong here
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
hwangho
Highly Voted 3 years, 7 months agoucsdmiami2020
2 years, 11 months agoFrozenYeti
Most Recent 4 weeks, 1 day agoPrincePazol
6 months, 3 weeks agoCactiAZ
9 months, 1 week agoyaman778
1 year agokolaturka
1 year, 4 months agoanonyuser
1 year, 8 months agoHudda
3 years, 1 month ago