Split Data to 2 Different Indexer Groups in Splunk

Split Data to 2 Different Indexer Groups in Splunk

How to configure a Splunk Forwarder ( UF and HF )  to split the data from the defined inputs to two groups of indexers.

  • Input A will go to the first indexer group only ( XYZ_Indexer ).
  • Input B will go to the second indexer group only ( MNO_Indexer ).

The data will be load balanced across all available Indexers within each group, but no data will be cloned or copied.

# You need to go the configuration files directory which is as follows :

# cd /opt/splunk/etc/system/local/

Step 1:

# cat outputs.conf

 #Define the server group which should be used as default for TCP forwarding.

[tcpout]

autoLB = true

defaultGroup = XYZ_Indexer

#Define the target servers where the Forwarder should send the data to

[tcpout : XYZ_Indexer]

server= splunk01.abc:9997 , splunk02.abc:9997

#Optional : activate acknowledgement between Forwarder and Indexers

useACK = true

#Define the target servers where the Forwarder should send the data to

[tcpout : MNO_Indexer]

server= splunk111.mno:9997 , splunk222.mno:9997

#Optional : activate acknowledgement between Forwarder and Indexers

useACK = true

 

Step 2:

# cat inputs.conf

#Define the directory which should be monitored , and set values for source , sourcetype and target index.

[monitor:///var/logs/directory_A/mylog.log]

source = Mysource_A

sourcetype = Mysourcetype_A

index = Myindex_A

_TCP_ROUTING =  XYZ_Indexer

 

[monitor:///var/logs/directory_B/mylog.log]

source = Mysource_B

sourcetype = Mysourcetype_B

index = Myindex_B

_TCP_ROUTING =  MNO_Indexer

NOTE : Since we have set only 1 target group in the _TCP_ROUTING line, the data from this ip will be sent to this target only.

 

Hope this has helped you in achieving the below requirement without fail : 

Split Data to 2 Different Indexer Groups in Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.