Hello All, We need help on below issue?
while we are routing data 2 different indexer groups using _TCP_ROUTING in inputs.conf and when one group is down data didnot forwarded to second group of indexers? Is this expected?
Please provide your inputs if you have any similar issue or know how to handle this case.
Thanks
If you are using cloned groups.The default is to stop all forwarding as soon as one group is not accepting data.
Check for settings in outputs.conf like blockOnCloning
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
For syslog routing it's also stopping as soon at splunktcp or syslog are blocked.
For _TCP_ROUTING I am not sure of the behavior , it may be the same
Not true, according to the outputs.conf manual since version 7 at least. One cloned output group should be enough to keep the event flow running.
Whether or not the TcpOutputProcessor should wait until at least one of the cloned output groups receives events before attempting to send more events. * If set to "true", the TcpOutputProcessor blocks until at least one of the cloned groups receives events.
The definition of a cloned group is according to the manual, when there are two ore more groups in the defaultGroup attribute. https://docs.splunk.com/Documentation/Forwarder/8.1.3/Forwarder/Configureforwardingwithoutputs.conf
This is so strange, since the real behavior is like Rich says. That's my experience as well. https://community.splunk.com/t5/Getting-Data-In/Any-data-forwarding-issue-using-data-cloning-and-dif...
If there is one or no groups in defaultGroup you might have some different behavior, since then you must use _TCP_ROUTING instead, and the event metadata is tagged with the route in that case, which is probably not the case if you use two groups in defaultGroup.
Anyone with any practical experience, please share.