Good day fellow Splunkers,
I have configured to forward data from a Splunk indexer to a 3rd party system (doing index and forward). My questions would be:
- Upon checking UDP connections shows that Splunk opens at least 20 connections to forward the data. Can this be limit to just 1? (I used port 514)
- Upon establishing TCP configurations to forward the logs, Splunk opens a lot of connections to the 3rd party system. Can I configure to balance the connections by making 2 ports to be used in forwarding. (1st half would be on port 514 the next half would be on port 515 but the same server IP and same sourcetype - just only 1 sourcetype)
Thanks