Split Data to 2 Different Indexer Groups in Splunk
How to configure a Splunk Forwarder ( UF and HF ) to split the data from the defined inputs to two groups of indexers.
- Input A will go to the first indexer group only ( XYZ_Indexer ).
- Input B will go to the second indexer group only ( MNO_Indexer ).
The data will be load balanced across all available Indexers within each group, but no data will be cloned or copied.
# You need to go the configuration files directory which is as follows :
# cd /opt/splunk/etc/system/local/
Step 1:
# cat outputs.conf
#Define the server group which should be used as default for TCP forwarding.
[tcpout]
autoLB = true
defaultGroup = XYZ_Indexer
#Define the target servers where the Forwarder should send the data to
[tcpout : XYZ_Indexer]
server= splunk01.abc:9997 , splunk02.abc:9997
#Optional : activate acknowledgement between Forwarder and Indexers
useACK = true
#Define the target servers where the Forwarder should send the data to
[tcpout : MNO_Indexer]
server= splunk111.mno:9997 , splunk222.mno:9997
#Optional : activate acknowledgement between Forwarder and Indexers
useACK = true
Step 2:
# cat inputs.conf
#Define the directory which should be monitored , and set values for source , sourcetype and target index.
[monitor:///var/logs/directory_A/mylog.log]
source = Mysource_A
sourcetype = Mysourcetype_A
index = Myindex_A
_TCP_ROUTING = XYZ_Indexer
[monitor:///var/logs/directory_B/mylog.log]
source = Mysource_B
sourcetype = Mysourcetype_B
index = Myindex_B
_TCP_ROUTING = MNO_Indexer
NOTE : Since we have set only 1 target group in the _TCP_ROUTING line, the data from this ip will be sent to this target only.
Hope this has helped you in achieving the below requirement without fail :
Split Data to 2 Different Indexer Groups in Splunk
Happy Splunking !!
