Setup currently I have the newest version of Splunk (6.0) running as my main Splunk server with several universal forwarders v 6.0 sending logs to the server to be indexed.
I have another box that the v 6.0 forwarders are incompatible with so I need to install Splunk version 3.14 onto the box. I see in the documentation that I can make the full installation a heavy forwarder to push to my regular indexer, but it is not working for me.
Steps Taken:
- I Installed the full Splunk v 3.14 on the box I want to use a forwarder
- Then enabled the forwarder: ./splunk enable app SplunkForwarder -auth
<username>:<password> - Started forwarding activity: ./splunk add forward-server
<host>:<port>-auth<username>:<password> - Added deploy server: ./splunk set deploy-poll
<host>:<port> - Retarted splunk: ./splunk restart
- Waited but the forwarder never appears in the list under Forwarder Management on the Splunk Server
I assume this has something to do with the different versions of Splunk that I am using, but the documentation says:
"All indexers are backwards compatible with any forwarder and can receive data from any earlier version forwarder."
Anyone else have this problem or know how to better implement this?
Documentation: