topic Re: Index data and then forward to another indexer in Getting Data In

Index data and then forward to another indexer

danielez68 — Fri, 06 Jul 2012 16:57:02 GMT

Hi, we have and indexer that receive data from some Univ. Forwarder. Data are stored on different index (IndexA, IndexB, ..) based on Forwarder's index input configuration.
Now we need to to add a new index (that receive data from a new group of Forwarder) and then forward from the indexer the same indexed data to another indexer (for another group of people).

What's the best way to configure it (store and forward)?

Thanks!

Re: Index data and then forward to another indexer

rturk — Sat, 07 Jul 2012 02:51:10 GMT

Hi Daniel,

Did you want to store & forward ALL data received by Indexer-A to the new indexer (Indexer-B), or just data destined for the new Index (IndexC). There is the indexAndForward option in outputs.conf which will do the first option, but you're going to need to play with data routing;

http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad

if you want more granular forwarding (the second option).

Instead of indexing data twice, is putting in a standalone search-head an option for your new users? This would allow you to simplify your design by:

Storing your data in one location (Indexer A)
Apply role based access
Save license quota usage by only indexing data once

Happy to discuss further 🙂

Re: Index data and then forward to another indexer

danielez68 — Mon, 28 Sep 2020 12:02:11 GMT

Hi R. Turk,

thanks for response. Our scenario (we are an IT Outsourcer) is to collect data (and store/retain on our indexer for IT/Security Analisys/Compliance) for our customers and than send the same "raw" copy to their indexer (with independent License) managed by them.
Our indexer should act as data collector and aggregator (we can't send directly to them with forwarders) and for some customers (not all..) forward/route also the data.

We can summarize in this way:

FWD(1,2,..n) -> IndexerA (Our indexer)

                            (Index1) Local   
                            (Index2) Local + Forward -> IndexerB (Customer1 Indexer)
                            (IndexN) Local

I have tried indexAndForward=true but this forward all indexes data.

I have tried (as explained in the Manuals)
selectiveIndexing=true
and
_INDEX_AND_FORWARD_ROUTING=local
_TCP_ROUTING=indexerB
on the dedicated tcp port on our indexer but we got config error on indexer startup.

We don't need to filter or make selective routing at this stage, we "simply" need to forward any indexed data to the destination indexer. Looking around I have not found some sample configuration, so the question here is to understand if the indexer is able to store data in a local index and then forward (or routing) the same data to another indexer.

Thanks for help and suggestion.

Re: Index data and then forward to another indexer

Drainy — Sat, 07 Jul 2012 14:01:22 GMT

Yup, have a look at Index Filtering in the outputs.conf spec; http://docs.splunk.com/Documentation/Splunk/latest/admin/outputsconf

Re: Index data and then forward to another indexer

danielez68 — Mon, 09 Jul 2012 17:47:36 GMT

Configuration with forwardedindex seems working, the only issue is that at indexer startup some events from blacklisted index still remain forwarded, probably because the filters configuration are not fully loaded ?

Is there a way to prevent this?

I need also to override (at indexer level) index declared by the Univ. forwarder. I have tried to put index=xxxx in the inputs.conf stanza but without results. Or at least reconfigure the index tag in the re-forwarded events.
Any suggestion is appeciated. thanks.

Re: Index data and then forward to another indexer

danielez68 — Mon, 28 Sep 2020 12:02:58 GMT

We still receiving wrong events on destination indexer when the indexer/fwd start like the following:

received event for unconfigured/disabled index='index_1' with source='source::/logs/aaa_.log' host='host::aaa0000' sourcetype='sourcetype::aaa_sourcetype' (2 missing total)
received event for unconfigured/disabled index='index_3' with source='source::/logs/bbb.log' host='host::bbb0000' sourcetype='sourcetype::bbb_sourcetype' (4 missing total)

Re: Index data and then forward to another indexer

danielez68 — Mon, 28 Sep 2020 12:03:01 GMT

These indexes are in the blacklist:

[tcpout]
indexAndForward = true

[tcpout:indexerB_9997]
disabled = false
server = indexerB:9997
forwardedindex.filter.disable = false
forwardedindex.0.blacklist = index_1
forwardedindex.1.blacklist = index_3
forwardedindex.2.whitelist = index_2

Probably something missing or misconfigured? Thanks.

Re: Index data and then forward to another indexer

rsankar — Tue, 19 Mar 2013 11:39:35 GMT

Hi Drainy

Per your first comment inthis post, can you elaborate on how we can do more granular forwarding.

We have a requirement where we want to forward to another groups indexer some selective indexed data from my groups indexer.

Thanks
Ramesh S
Echostar, Denver

Re: Index data and then forward to another indexer

abhijitmishra87 — Tue, 29 Sep 2020 11:01:58 GMT

It is because the "forwarded index" attributes are only applicable under the global [tcpout] stanza. This filter does not work if it is created any where else

Your configs should be

[tcpout]
indexAndForward = true
forwardedindex.filter.disable = false
forwardedindex.0.blacklist = index_1
forwardedindex.1.blacklist = index_3
forwardedindex.2.whitelist = index_2

[tcpout:indexerB_9997]
disabled = false
server = indexerB:9997