Archive

send data from heavy forwarder to peer index

Path Finder

Hello, I need to send specify log file data from HF to a specify index on peer.

bash-4.2$ more inputs.conf

[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test

bash-4.2$ more outputs.conf

[tcpout:APCHA]
server = cluser-peer.splunk.com:9997

I have already created a index in my cluser-peer.splunk.com server. index = test

After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

Path Finder

thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work

0 Karma

Esteemed Legend

The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.

0 Karma

Path Finder

Hello cusello, in search head i am getting data but it is very weird.

1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file

0 Karma

Communicator

Hi,
Are you sure it's cluser ? And not cluster ?

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!