Archive
Highlighted

Re: Multi-Site Cluster | Failure Tolerance

SplunkTrust
SplunkTrust

outputs.conf has nothing to do with running searches. Nor does it have anything to do with ingesting data. It merely tells a Splunk instance where to put its data.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Multi-Site Cluster | Failure Tolerance

Loves-to-Learn Lots

But that's what you suggested to look at under outputs.conf -
/Your outputs.conf file must have a server setting or a indexerDiscovery setting./

and here is what splunk says around these parameters -

"server = [|]:, [|]:, ...
* A comma-separated list of one or more systems to send data to over a
TCP socket.
* Required if the 'indexerDiscovery' setting is not set.
* Typically used to specify receiving Splunk systems, although you can use
it to send data to non-Splunk systems (see the 'sendCookedData' setting).
* For each system you list, the following information is required:
* The IP address or server name where one or more systems are listening.
* The port on which the syslog server is listening.
indexerDiscovery =
* The name of the master node to use for indexer discovery.
* Instructs the forwarder to fetch the list of indexers from the master node
specified in the corresponding [indexer_discovery:] stanza.
* No default."

0 Karma
Highlighted

Re: Multi-Site Cluster | Failure Tolerance

SplunkTrust
SplunkTrust

My point was outputs.conf does not restrict the SH to search on any specific indexers. Nor does it restrict ingestion of data to any specific site.

---
If this reply helps you, an upvote would be appreciated.
0 Karma