https://community.splunk.com/t5/Splunk-Enterprise/We-built-a-new-indexer-cluster-and-trying-to-reroute-some-of-the/m-p/532512#M4394 <P>Check if the new indexers have receiver enabled correctly:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Enableareceiver" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Enableareceiver</A></P><P>See if you could send some dummy non-internal data from cluster master (using add oneshot method OR HEC).</P> Wed, 09 Dec 2020 18:16:26 GMT somesoni2 2020-12-09T18:16:26Z https://community.splunk.com/t5/Splunk-Enterprise/We-built-a-new-indexer-cluster-and-trying-to-reroute-some-of-the/m-p/532507#M4393 <P>Hello all,</P><P>we built a new cluster as we are getting out of space on current one and we are trying to reroute some of the ingestion to the new cluster by adding the new indexer clusters stanza in the outputs.conf and using _TCP_ROUTING setting in the inputs.conf the servers we want to reroute the ingestion.&nbsp;</P><P>below is the stanza we added in outputs.conf</P><P><SPAN>[tcpout:ABC_indexers] </SPAN></P><P><SPAN>Server = </SPAN><A href="http://172.16.200.178:9997/" target="_blank" rel="noopener nofollow noreferrer">xx.xx.xx.xx.xx:9997</A><SPAN>, </SPAN><A href="http://172.16.200.179:9997/" target="_blank" rel="noopener nofollow noreferrer">xx.xx.xx.xx.xx:9997</A><SPAN>, </SPAN><A href="http://172.16.200.180:9997/" target="_blank" rel="noopener nofollow noreferrer">xx.xx.xx.xx:9997</A></P><P><SPAN>useACK = true</SPAN></P><P><SPAN>in the inputs.conf we added below setting and pushed it to the servers we want to reroute the data and restarted the forwarder service:</SPAN></P><P><SPAN>_TCP_ROUTING =&nbsp;ABC_indexers</SPAN></P><P><SPAN>but we are not seeing any ingestion to the new cluster and we are getting few errors and warning. We checked that the forwarders are connected to all our new indexers over 9997 port.</SPAN></P><P><SPAN>WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group ABC_indexers has been blocked for 800 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.<BR />"INFO ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=<A href="http://host:port/" target="_blank" rel="noopener">http://host:port</A>&nbsp;in case HTTP proxying needs to be enabled."</SPAN></P><P><SPAN>we checked everything on the indexers but could not find out what is blocking the indexers to receive the data. We have cluster master which is ingesting internal logs to this new indexers and that is not having any issue.&nbsp;</SPAN></P><P>Please let me know if anyone got this issue and how you resolved it.</P><P>Thanks</P> Wed, 09 Dec 2020 17:50:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/We-built-a-new-indexer-cluster-and-trying-to-reroute-some-of-the/m-p/532507#M4393 sathwik067 2020-12-09T17:50:04Z https://community.splunk.com/t5/Splunk-Enterprise/We-built-a-new-indexer-cluster-and-trying-to-reroute-some-of-the/m-p/532512#M4394 <P>Check if the new indexers have receiver enabled correctly:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Enableareceiver" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Enableareceiver</A></P><P>See if you could send some dummy non-internal data from cluster master (using add oneshot method OR HEC).</P> Wed, 09 Dec 2020 18:16:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/We-built-a-new-indexer-cluster-and-trying-to-reroute-some-of-the/m-p/532512#M4394 somesoni2 2020-12-09T18:16:26Z