In this screencast, one of Hurricane Labs’ Splunk Administrators and Security Operations Analysts, Jeremy Nenadal walks you through a “How-To” for turning a Universal Forwarder into a Heavy Forwarder in Splunk. Performing this upgrade can be beneficial to your organization for a variety of reasons.
You may want to perform this migration because:
- A universal forwarder may not be able to fulfill the needs of your growing organization
- A software you’re installing may require a heavy forwarder with the additional features a universal forwarder lacks
Watch the screencast tutorial below for the full details of how to perform this upgrade.
This simple step-by-step process involves:
- stop the universal forwarder
- install new forwarder software
- (if running Windows)stop that forwarder from running
- copy over needed files
- start new forwarder back up again
The reason for this particular process, is to prevent re-indexing of files. If you uninstall and then reinstall the new version you will end up re-indexing files, which you don’t want to do.
Happy Splunking!