Re: Could you please recommend how to forward data...

annebeate · ‎11-26-2013

Hi,

We need to share certain log events between two splunk instances. How can we accomplish this? Pulling data using the REST API? Setting up multiple forwarders?

Thanks,
Anne

linu1988 · ‎11-26-2013

Hello,
Are those splunk instance are with enterprise license? are those having same indexes?

If at all you dont have forwarder then you can install them and forward to as many splunk indexer you want. The configuration needs to be done in Outputs.conf where you want to send. If the it's linux machine you can monitor the log using inputs.conf file.

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

Reference:
_http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Configureforwarderswithoutputs.confd
_http://docs.splunk.com/Documentation/Splunk/6.0/admin/inputsconf - >
[monitor://]

annebeate · ‎11-26-2013

Thanks 🙂 Both have enterprise licenses. I guess they need to have the same index name as configured on inputs.conf.

gfuente · ‎11-26-2013

Hello

In the Forwarder where you installed the REST API, you should configure the outputs.conf to send the data to all the indexers you want to

Regards

annebeate · ‎11-26-2013

Thanks 🙂 Easier than I thought.

Could you please recommend how to forward data from one splunk instance to another splunk instance?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!