Send All Data to One Group of Indexers in Splunk

Send All Data to One Group of Indexers in Splunk

How to configure a splunk forwarder ( UF or HF ) to send all data from the defined inputs to one group of indexers, while the data will be load balanced across all available Indexers.

# You need to go the configuration files directory which is as follows :

# cd /opt/splunk/etc/system/local/

Step 1:

# cat outputs.conf

#Define the server group which should be used as default for TCP forwarding.

[tcpout]

autoLB = true

defaultGroup = XYZ_Indexers

#Define the target servers where the Forwarder should send the data to

[tcpout : XYZ_Indexers]

server= splunk01.abc:9997 , splunk02.abc:9997

#Optional : activate acknowledgement between Forwarder and Indexers

useACK = true

 

Step 2:

#cat inputs.conf

#Define the directory which should be monitored , and set values for source , sourcetype and target index.

[monitor:///var/logs/mylog.log]

source = Mysource

sourcetype = Mysourcetype

index = Myindex

 

NOTE: Since there is no other specific configuration , all data from this ip will be sent to the default forwarding group.

Hope this has helped you in achieving the below requirement without fail : 

Send All Data to One Group of Indexers in Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.