topic Index and forward, intermediate Splunk Indexer not forwarding data in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/Index-and-forward-intermediate-Splunk-Indexer-not-forwarding/m-p/144789#M9077 <P>I am trying to implement a multiindexer environment where my two indexers are on different version of Splunk. IDX1 is Splunk 5.0.1 and IDX2 is 6.0. IDX is current working Indexer. It has data from all the forwarders.</P> <P>What I am trying to setup IDX1 to index as well as forward all incoming data to IDX2. I have configured IDX2 to receive on port 9998, IDX1 is configured to send data to IDX 2. Below is the outputs.conf on IDX1.</P> <PRE><CODE>[tcpout] defaultGroup = IDX2 indexAndForward = true [tcpout:IDX2] compressed = true server = &lt;IDX2 Host&gt;:9998 sslCertPath = XXXX.pem sslPassword = $1$7kxWZaCKikBUbg== sslRootCAPath = CAXXX.pem sslVerifyServerCert = true useACK = true </CODE></PRE> <P>I restarted both the servers after configuration, but the IDX1 is neither indexing nor forwarding data.<BR /> Error message on _internal index on IDX1</P> <PRE><CODE>11-15-2013 13:14:56.455 -0500 WARN TcpOutputProc - Applying quarantine to ip=X.X.X.X port=9998 _numberOfFailures=2 11-15-2013 13:14:56.455 -0500 INFO TcpOutputProc - Connection to X.X.X.X:9998 closed. Read error. Connection reset by peer 11-15-2013 13:14:56.455 -0500 INFO TcpOutputProc - Connected to idx=X.X.X.X:9998 11-15-2013 13:14:56.455 -0500 INFO StatusMgr - destHost=IDX2.example.com, destIp=X.X.X.X, destPort=9998, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor 11-15-2013 13:14:55.453 -0500 INFO TcpOutputProc - Connected to idx=X.X.X.X:9998 </CODE></PRE> <P>Is there any configuration I am missing? Appreciate your help.</P> Fri, 15 Nov 2013 20:40:32 GMT somesoni2 2013-11-15T20:40:32Z Index and forward, intermediate Splunk Indexer not forwarding data https://community.splunk.com/t5/Splunk-Enterprise/Index-and-forward-intermediate-Splunk-Indexer-not-forwarding/m-p/144789#M9077 <P>I am trying to implement a multiindexer environment where my two indexers are on different version of Splunk. IDX1 is Splunk 5.0.1 and IDX2 is 6.0. IDX is current working Indexer. It has data from all the forwarders.</P> <P>What I am trying to setup IDX1 to index as well as forward all incoming data to IDX2. I have configured IDX2 to receive on port 9998, IDX1 is configured to send data to IDX 2. Below is the outputs.conf on IDX1.</P> <PRE><CODE>[tcpout] defaultGroup = IDX2 indexAndForward = true [tcpout:IDX2] compressed = true server = &lt;IDX2 Host&gt;:9998 sslCertPath = XXXX.pem sslPassword = $1$7kxWZaCKikBUbg== sslRootCAPath = CAXXX.pem sslVerifyServerCert = true useACK = true </CODE></PRE> <P>I restarted both the servers after configuration, but the IDX1 is neither indexing nor forwarding data.<BR /> Error message on _internal index on IDX1</P> <PRE><CODE>11-15-2013 13:14:56.455 -0500 WARN TcpOutputProc - Applying quarantine to ip=X.X.X.X port=9998 _numberOfFailures=2 11-15-2013 13:14:56.455 -0500 INFO TcpOutputProc - Connection to X.X.X.X:9998 closed. Read error. Connection reset by peer 11-15-2013 13:14:56.455 -0500 INFO TcpOutputProc - Connected to idx=X.X.X.X:9998 11-15-2013 13:14:56.455 -0500 INFO StatusMgr - destHost=IDX2.example.com, destIp=X.X.X.X, destPort=9998, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor 11-15-2013 13:14:55.453 -0500 INFO TcpOutputProc - Connected to idx=X.X.X.X:9998 </CODE></PRE> <P>Is there any configuration I am missing? Appreciate your help.</P> Fri, 15 Nov 2013 20:40:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-and-forward-intermediate-Splunk-Indexer-not-forwarding/m-p/144789#M9077 somesoni2 2013-11-15T20:40:32Z Re: Index and forward, intermediate Splunk Indexer not forwarding data https://community.splunk.com/t5/Splunk-Enterprise/Index-and-forward-intermediate-Splunk-Indexer-not-forwarding/m-p/144790#M9078 <P>Resolved. With following configuration.Splunk 6.0 Indexer<BR /> Inputs.conf</P> <PRE><CODE>[SSL] password = certpassword rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem requireClientCert = false [splunktcp-ssl:9998] compressed = true </CODE></PRE> <P>Splunk 5.0 Indexer<BR /> outputs.conf</P> <PRE><CODE>[tcpout] defaultGroup = DEV_INDEXERS_6_0 indexAndForward = true disabled = false [tcpout:DEV_INDEXERS_6_0] compressed = true server = &lt;splunk6 indexer server&gt;:9998 sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem sslPassword = certpassword sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem sslVerifyServerCert = false useACK = true sendCookedData = true </CODE></PRE> <P>Restarted both indexers and boom.</P> Mon, 02 Dec 2013 20:30:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/Index-and-forward-intermediate-Splunk-Indexer-not-forwarding/m-p/144790#M9078 somesoni2 2013-12-02T20:30:26Z