https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497146#M84763 <P>Your <CODE>outputs.conf</CODE> looks fine to me, but I would add indexer acknowledgement to it. Add ** useACK = true ** under your tcpout:LB stanza to look like this:<BR /> ** [tcpout:LB]<BR /> server = idx2:9998,idx1:9998<BR /> useACK = true ** </P> <P>According to Splunk Docs, <EM>[splunktcp-ssl:####]</EM> is supposed to be used to receive <STRONG>PARSED</STRONG> data from a forwarder. Unless you are using a heavy forwarder that is parsing data before sending to your indexers, use <EM>[tcp-ssl:####]</EM>. <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Monitornetworkports">See Section: Configure a TCP input over SSL</A> </P> <P><STRONG><EM>I am reading conflicting statements about which stanza to use, but I know the <CODE>inputs.conf.spec</CODE> file states what I mentioned above about [splunktcp-ssl] vs [tcp-ssl]</EM></STRONG></P> <P>Other than those changes. Make sure that idx2's inputs.conf matches exactly idx1's inputs.conf (which I am sure you have). I would maybe try running a btool check and see if inputs.conf has any stanza errors. <CODE>$SPLUNK_HOME/bin/splunk btool inputs list --debug</CODE> on idx1. May I also suggest some strategies mentioned on Splunk Docs <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Troubleshootyouforwardertoindexerauthentication">Troubleshoot your forwarder to indexer authentication</A> </P> Tue, 28 Jan 2020 20:31:44 GMT 13tsavage 2020-01-28T20:31:44Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497145#M84762 <P>Currently trying to load balance data from forwarder to indexer cluster ( idx1 &amp; idx2) over ssl .</P> <P>So this configuration is correct at forwarder outputs.conf?</P> <P>[tcpout]<BR /> defaultGroup = LB</P> <P>[tcpout:LB]<BR /> server = idx2:9998,idx1:9998</P> <P>clientCrt = XXX<BR /> sslPassword = XXX<BR /> sslVerifyServerCert = XXX</P> <P>problem statement - already try above configuration but LB happening only on idx2 until I make following change in idx1 inputs.conf </P> <H2>here i know that data is not moving over SSL</H2> <P>[splunktcp://9998]<BR /> connection_host = ip</P> <P>[splunktcp-ssl:9998]<BR /> disabled = 0<BR /> [SSL]<BR /> serverCert = XXX<BR /> sslPassword = XXX<BR /> requireClientCert = false</P> <P>idx2 inputs.conf</P> <P>[splunktcp-ssl:9998]<BR /> disabled = 0<BR /> [SSL]<BR /> serverCert = XXX<BR /> sslPassword = XXX<BR /> requireClientCert = false</P> Tue, 28 Jan 2020 15:31:45 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497145#M84762 aniketpatil 2020-01-28T15:31:45Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497146#M84763 <P>Your <CODE>outputs.conf</CODE> looks fine to me, but I would add indexer acknowledgement to it. Add ** useACK = true ** under your tcpout:LB stanza to look like this:<BR /> ** [tcpout:LB]<BR /> server = idx2:9998,idx1:9998<BR /> useACK = true ** </P> <P>According to Splunk Docs, <EM>[splunktcp-ssl:####]</EM> is supposed to be used to receive <STRONG>PARSED</STRONG> data from a forwarder. Unless you are using a heavy forwarder that is parsing data before sending to your indexers, use <EM>[tcp-ssl:####]</EM>. <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Monitornetworkports">See Section: Configure a TCP input over SSL</A> </P> <P><STRONG><EM>I am reading conflicting statements about which stanza to use, but I know the <CODE>inputs.conf.spec</CODE> file states what I mentioned above about [splunktcp-ssl] vs [tcp-ssl]</EM></STRONG></P> <P>Other than those changes. Make sure that idx2's inputs.conf matches exactly idx1's inputs.conf (which I am sure you have). I would maybe try running a btool check and see if inputs.conf has any stanza errors. <CODE>$SPLUNK_HOME/bin/splunk btool inputs list --debug</CODE> on idx1. May I also suggest some strategies mentioned on Splunk Docs <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Troubleshootyouforwardertoindexerauthentication">Troubleshoot your forwarder to indexer authentication</A> </P> Tue, 28 Jan 2020 20:31:44 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497146#M84763 13tsavage 2020-01-28T20:31:44Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497147#M84764 <P>Thanks for suggest and now it is working .<BR /> there was no change done within inputs.config as it is working fine with splunktcp-ssl stanza . only change made with outputs.conf</P> <P>@13tsavage - thanks for help .</P> Wed, 29 Jan 2020 06:56:45 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-load-balancing-over-SSL-to-indexer-cluster/m-p/497147#M84764 aniketpatil 2020-01-29T06:56:45Z