Ingesting data into two indexes from one Heavy Forwarder

splunky1 — Mon, 17 May 2021 13:18:52 GMT

I have Splunk in the below design

One HF to two sperate indexers that are not clustered.

I have UF installed on my workstation and UF is sending logs to the HF.

HF has data inputs set to all types of windows logs to an index to windows and this is going to indexer A but data not going to indexer B.

My outputs.conf in the UF is like

[tcpout]
useACK = true
maxQueueSize = auto
readTimeout = 300

[tcpout:abchf]
server = 10.20.30.40:9997
compressed = TRUE
sslRootCAPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test
sslCertPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test
sslPassword = Password
sslVerifyServerCert = true
sslCommonNameToCheck = google.com

In the indexer A I can see the data is ingested but in the indexer B I cannot see the data.

As I mentioned earlier indexer A and indexer B are not clustered indexers.

Re: Ingesting data into two indexes from one Heavy Forwarder

gcusello — Mon, 17 May 2021 14:09:22 GMT

Hi @splunky1,

each Heavy Forwarder (don't ask me why because I never understood this!) sends logs to only one Indexer even if it has two Indexers available: it can change the destination Indexer, but always one at a time.

If you can is more efficient to use the Heavy Forwarder as a concentrator only if you have strickly security requirements, in other words, if you can is more efficient that UFs send their logs directly to the Indexers and use HF only for syslogs.

In addition if you have only one HF you have an additional Single Point of failure

Ciao.

Giuseppe

topic Re: Ingesting data into two indexes from one Heavy Forwarder in Getting Data In

Ingesting data into two indexes from one Heavy Forwarder

Re: Ingesting data into two indexes from one Heavy Forwarder