Hello All,
I need to send logs to a new separate splunk server, I read about data cloning and followed the document and modified the output.conf file accordingly. But my questions are :-
1. There are multiple output.conf files in the splunk installation directory so i have amended the files in two locations:-
C:\Program Files\SplunkUniversalForwarder\etc\apps\Output_ORE\local
&
C:\Program Files\SplunkUniversalForwarder\etc\system\local
a.Which is the correct directory as i presume i should make changes only in one location ?
b.Is the configuration of output.conf on the client webservers managed by the splunk server if yes then how can i deploy a config for second splunk server or amend the original one ?
2. If i dont want to not clone data anymore at a later stage and send different parts of logs to second splunk server then where do i define this, i presume input.conf but how ?
↧