Splunk Dev

Why data is not been routing to second group when we have issue with first group of indexers?

gandusarath538
New Member

Hello All, We need help on below issue?

while we are routing data 2 different indexer groups using _TCP_ROUTING in inputs.conf and when one group is down data didnot forwarded to second group of indexers? Is this expected?

Please provide your inputs if you have any similar issue or know how to handle this case.

Thanks

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

If you are using cloned groups.The default is to stop all forwarding as soon as one group is not accepting data.
Check for settings in outputs.conf like blockOnCloning
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

For syslog routing it's also stopping as soon at splunktcp or syslog are blocked.
For _TCP_ROUTING I am not sure of the behavior , it may be the same

0 Karma

pellegrini
Path Finder

Not true, according to the outputs.conf manual since version 7 at least. One cloned output group should be enough to keep the event flow running.

Whether or not the TcpOutputProcessor should wait until at least one
  of the cloned output groups receives events before attempting to send
  more events.
* If set to "true", the TcpOutputProcessor blocks until at least one of the
  cloned groups receives events.

The definition of a cloned group is according to the manual, when there are two ore more groups in the defaultGroup attribute. https://docs.splunk.com/Documentation/Forwarder/8.1.3/Forwarder/Configureforwardingwithoutputs.conf

This is so strange, since the real behavior is like Rich says. That's my experience as well. https://community.splunk.com/t5/Getting-Data-In/Any-data-forwarding-issue-using-data-cloning-and-dif...

If there is one or no groups in defaultGroup you might have some different behavior, since then you must use _TCP_ROUTING instead, and the event metadata is tagged with the route in that case, which is probably not the case if you use two groups in defaultGroup. 

Anyone with any practical experience, please share.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...