All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can the Splunk Add-on for AWS forward to a non-default indexer cluster?

scombs
Path Finder
‎06-02-2023 02:53 PM

Is it possible to forward different Splunk Add-on for AWS inputs to different indexer clusters?   We have a heavy forwarder using Splunk_TA_aws and standard defaultGroup=<clusterlabel>, indexerDiscovery, etc configured in etc/system/local/outputs.conf.  At present, all the AWS inputs are forwarded to indexes contained within the default indexer cluster.  However, we now have an AWS input which we want to forward to an index in a different indexer cluster.  Are there options within either the etc/apps/Splunk_TA_aws/local/ or other .conf files that will allow us to, say, add a second [tcpout:Cluster2] stanza into outputs.conf and then forward  events from this new AWS input to it?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2023 03:54 AM

Hi

i haven’t do it with AWS TA, but I suppose that you could do it with these instructions https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad

r. Ismo

Reply

scombs
Path Finder
‎06-09-2023 07:54 PM

Thanks r.

I didn't try your solution, but another colleague got it working with the following configuration.

 

 

../etc/system/local/outputs.conf
[indexer_discovery:first_cluster_label]
master_uri = https://mm.mm.mm.mm:8089
passSymmKey = $asdfasfasdfasfasdfasdfas=
. . .
[indexer_discovery:second_cluster_label]
master_uri = https://nn.nn.nn.nn:8089
passSymmKey = $zxcvzxcvzxcvzxcvzxcvzxcv=
. . .
[tcpout:FirstClusterName]
autoLBFrequency = 30
indexerDiscovery = first_cluster_label
. . .
[tcpout:SecondClusterName]
autoLBFrequency = 30
indexerDiscovery = second_cluster_label
. . .
[tcpout]
defaultGroup = FirstClusterName
. . .


../etc/apps/Splunk_TA_aws/inputs.conf
[aws_sqs_based_s3://First_SQS_S3_Import]
# Uses defaultGroup.
. . .
[aws_sqs_based_s3://Second_SQS_S3_Import]
_TCP_ROUTING = SecondClusterName
. . .

 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-10-2023 12:07 AM
This is exactly the same solution what I propose. It’s even better learning experience that you are solving it by yourself;-)
Happy splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...