Archive

send data from heavy forwarder to peer index

Path Finder

Hello, I need to send specify log file data from HF to a specify index on peer.

bash-4.2$ more inputs.conf

[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test

bash-4.2$ more outputs.conf

[tcpout:APCHA]
server = cluser-peer.splunk.com:9997

I have already created a index in my cluser-peer.splunk.com server. index = test

After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?

Tags (1)
0 Karma
1 Solution

Legend

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apachetest/ApacheLogs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

Legend

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apachetest/ApacheLogs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

Path Finder

thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work

0 Karma

Esteemed Legend

The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.

0 Karma

Path Finder

Hello cusello, in search head i am getting data but it is very weird.

1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file

0 Karma

Communicator

Hi,
Are you sure it's cluser ? And not cluster ?