Deployment Architecture

Deployment monitor question ?

Contributor

Hello,

I installed deployment monitor apps(DM) on the indexers, the intermediate forwarders, but they seem not to show any data.
My architecture is:

   indexer01________________________________indexer02     

       intermediate forwarder (heavy Forwarder)

UF1_1 UF1_2 ....                       UF2_1 UF2_2 .....    (UF:Universal Forwarder)

After that, i install DM on 2 indexers because i want to use search in separate indexer,and also installed DM on heavy Forwarder

The result i got is just only one result in indexer01:
1 event in index="summary_forwarders"
the others haven't any event in "summary_forwarders" index.

My indexer01 also acts as a deployment server for other Splunk instances.

Can you show me the problem i get and how to use the deployment monitoring apps in my architecture ?

Tags (1)

Builder

Hi,

I've had the same kind of issue. Basically, that intermediate forwarder won't forward data for the _internal index. You will need whitelist that.
Here is my question and solution.

In short, add this to etc/system/local/outputs.conf on your intermediate forwarder:

[tcpout]
forwardedindex.3.whitelist = _internal

Hope it helps. Let me know.
(Update: incorrectly specified inputs.conf. Real file is outputs.conf)

0 Karma

Builder

Hi,
I see you're using selective indexing. I don't know how well that mixes with the whitelist, since the whitelist can only be specified under [tcpout].

So, anything using the default routing is dropped, basically. Perhaps you should specify _INDEX_AND_FORWARD_ROUTING or _TCP_ROUTING for your internal logs?

I'm afraid you're using features I'm unfamiliar with, so I may be off the mark here.

0 Karma

Contributor

[tcpout]
defaultGroup = noforward
disabled=false
forwardedindex.3.whitelist = _internal

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexer01]
server=178.17.0.46:9997

[tcpout:indexer02]
server=178.17.0.47:9997

it doesn't work, even i put this option in each tcpout, i don't know where to place that option.

0 Karma

Builder

My bad! The correct file is actually outputs.conf and not inputs.conf.

It will take a while for the information to get through, since the deployment monitor is using summary indexes.
(The original answer has been corrected.)

0 Karma

Contributor

I did what you suggested but i only see the imtermediate forwarder in indexer, but don't see other UFs . Do i need to activate that option in UFs ? in order to see thoroughly architecture

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!