Clone Data to 2 Different Groups of Indexers in Splunk

Clone Data to 2 Different Groups of Indexers in Splunk

How to configure a Splunk Forwarder ( UF and HF ) to send all data from defined inputs to two group of Indexers, while the data will be cloned to both groups and load balanced across all available indexers within each group.

# You need to go the configuration files directory which is as follows :

# cd /opt/splunk/etc/system/local/

Step 1:

# cat outputs.conf

#Define the server group which should be used as default for TCP forwarding.

[tcpout]

autoLB = true

defaultGroup = XYZ_Indexer

 #Define the target servers where the Forwarder should send the data to

[tcpout : XYZ_Indexer]

server= splunk01.abc:9997 , splunk02.abc:9997

#Optional : activate acknowledgement between Forwarder and Indexers

useACK = true

 #Define the target servers where the Forwarder should send the data to

[tcpout : MNO_Indexer]

server= splunk111.mno:9997 , splunk222.mno:9997

#Optional : activate acknowledgement between Forwarder and Indexers

useACK = true

 

Step 2:

#cat inputs.conf

 #Define the directory which should be monitored , and set values for source , sourcetype and target index.

[monitor:///var/logs/mylog.log]

source = Mysource

sourcetype = Mysourcetype

index = Myindex

_TCP_ROUTING =  XYZ_Indexer, MNO_Indexer

NOTE: Since we have set 2 target groups in the _TCP_ROUTING line , the data from this ip will be cloned(copied) to both targets. That means , both indexers groups will have the same set of data, and we will have to pay the license 2 times as well.

Hope this has helped you in achieving the below requirement without fail :
Clone Data to 2 Different Groups of Indexers in Splunk

 
Happy Splunking !!

 

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.