Hello. I'm fairly new to Splunk and am working on configuring a Splunk infrastructure. If I have one search head server and one indexer server, any data that is indexed on the search head server should be forwarded to the indexer server. I see that there are Splunk documents that show to change the outputs.conf file to accomplish this.
However, instead of changing the outputs.conf file, could I install a universal forwarder on the search head server and use the universal forwarder to forward all indexed data to the indexer server?
I would appreciate any insight.
↧