Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we send data to nullqueue at indexer layer. So that it will consume license.

SagarSplunk
Engager
‎06-13-2017 11:59 PM

Hi All,

We have 2 Splunk instances first instance existing one to monitor security logs and second instance (to be) is to monitor Application logs, both are separate instances.
But universal forwarders used are having inuputs.conf configured for both instances.
First instance architecture:- UF --> Indexers
Second instance architecture :- UF-->HF-->Indexers
Below are the requirement questions:-
1) Inputs for both the instances are configured in one config file at UF layer. Can we perform routing of data at UF layer to both instances so that will be indexing the data required for that particular instance.
2)If the above option is not possible. can we drop data at indexer layer for first instance so that it will index only data required for instance 1.
e.g. abc.log and efg.log both the logs are on same UF (server123). abc.log should get forwarded to instance 1 and efg.log should get forwarded to insatnce2

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-16-2017 08:26 AM

Yes, you can drop it at the indexers and it will not consume license.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...