Send All Data to One Group of Indexers in Splunk
How to configure a splunk forwarder ( UF or HF ) to send all data from the defined inputs to one group of indexers, while the data will be load balanced across all available Indexers.
# You need to go the configuration files directory which is as follows :
# cd /opt/splunk/etc/system/local/
Step 1:
# cat outputs.conf
#Define the server group which should be used as default for TCP forwarding.
[tcpout]
autoLB = true
defaultGroup = XYZ_Indexers
#Define the target servers where the Forwarder should send the data to
[tcpout : XYZ_Indexers]
server= splunk01.abc:9997 , splunk02.abc:9997
#Optional : activate acknowledgement between Forwarder and Indexers
useACK = true
Step 2:
#cat inputs.conf
#Define the directory which should be monitored , and set values for source , sourcetype and target index.
[monitor:///var/logs/mylog.log]
source = Mysource
sourcetype = Mysourcetype
index = Myindex
NOTE: Since there is no other specific configuration , all data from this ip will be sent to the default forwarding group.
Hope this has helped you in achieving the below requirement without fail :
Send All Data to One Group of Indexers in Splunk
Happy Splunking !!
