https://community.splunk.com/t5/Getting-Data-In/Can-I-forward-to-2-splunkcloud-deployments-at-a-time/m-p/150141#M30528 <P>I have 1 splunkcloud deployment, and I need to send a copy of my data to another deployment.</P> <UL> <LI>can the splunklcoud indexers forward data to another deployment ?</LI> <LI>can my forwarder send data to both deployments ?</LI> </UL> <P>I tried to see the forwarder credential apps I have, but they do not play nice together.</P> Thu, 30 Jul 2015 19:13:10 GMT yannK 2015-07-30T19:13:10Z https://community.splunk.com/t5/Getting-Data-In/Can-I-forward-to-2-splunkcloud-deployments-at-a-time/m-p/150141#M30528 <P>I have 1 splunkcloud deployment, and I need to send a copy of my data to another deployment.</P> <UL> <LI>can the splunklcoud indexers forward data to another deployment ?</LI> <LI>can my forwarder send data to both deployments ?</LI> </UL> <P>I tried to see the forwarder credential apps I have, but they do not play nice together.</P> Thu, 30 Jul 2015 19:13:10 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-forward-to-2-splunkcloud-deployments-at-a-time/m-p/150141#M30528 yannK 2015-07-30T19:13:10Z https://community.splunk.com/t5/Getting-Data-In/Can-I-forward-to-2-splunkcloud-deployments-at-a-time/m-p/150142#M30529 <P>After testing here is the procedure to configure a forwarder to send to 2 groups of indexers.</P> <P>1- download/retrieve the <STRONG>splunkcloud forwarder credential apps</STRONG> for the deployment A and B<BR /> rename the app folder to distinguish them. <BR /> by example: splunkcloudforwarder_A splunkcloudforwarder_B<BR /> You need to keep them both, as they contains distinct ssl certificates.</P> <P>2- in the app, go to default/outputs.conf<BR /> and <STRONG>edit the name of the tcpout group</STRONG> to distinguish them</P> <P>[tcpout:primary_indexers]<BR /> to<BR /> [tcpout:primary_indexers_A]<BR /> and<BR /> [tcpout:primary_indexers_B]</P> <P>3 - add a local/outputs.conf in one of the apps ( or in etc/system/local, but it's not convenient to deploy in apps)<BR /> and <STRONG>put the 2 new groups as default destination groups</STRONG> to clone the data to both.<BR /> [tcpout]<BR /> defaultGroup = primary_indexers_A, primary_indexers_B</P> <P>4 - test the merging of the configurations with a <STRONG>btool command</STRONG><BR /> cd $SPLUNK_HOME/bin<BR /> ./splunk cmd btool outputs list<BR /> You want to see<BR /> [tcpout]<BR /> defaultGroup = primary_indexers_A, primary_indexers_B<BR /> and 2 groups<BR /> [tcpout:primary_indexers_A]<BR /> [tcpout:primary_indexers_B]</P> <P>if you do not see them, use<BR /> ./splunk cmd btool outputs list --debug<BR /> to check where each configurations are coming from.</P> <P>5- <STRONG>start the forwarder and confirm</STRONG> that it is sending data to the 2 groups<BR /> you can look at the internal logs (index=_internal host=myforwardername)</P> <P>Remarks :</P> <UL> <LI><P>when you start splunk, the clear ssl password in the apps /default/outputs.conf will be encrypted and saved in /local/outputs.conf file. But cannot be decrypted by another forwarder. So if you want to copy the apps from a forwarder to another, (or deploy it using a deployment server), make sure to remove the line with the local folder.</P></LI> <LI><P>You can use this configuration on the forwarders directly</P></LI> <LI><P>If you want to use intermediary forwarder you just need to configure your first forwarders to send the data to the intermediary forwarders, and setup an input on the intermediary forwarder in inouts.conf<BR /> [splunktcp:9997]</P> <UL> <LI>You can use an Universal forwarder or a lightweight forwarder as intermediary forwarder (the heavy forwarder allow parsing and filtering but has a heavier load, and require you to install all your indexers parsing apps on them too)</LI> </UL></LI> </UL> Tue, 29 Sep 2020 06:51:08 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-forward-to-2-splunkcloud-deployments-at-a-time/m-p/150142#M30529 yannK 2020-09-29T06:51:08Z