I installed deployment monitor apps(DM) on the indexers, the intermediate forwarders, but they seem not to show any data.
My architecture is:
indexer01________________________________indexer02 intermediate forwarder (heavy Forwarder) UF1_1 UF1_2 .... UF2_1 UF2_2 ..... (UF:Universal Forwarder)
After that, i install DM on 2 indexers because i want to use search in separate indexer,and also installed DM on heavy Forwarder
The result i got is just only one result in indexer01:
1 event in index="summary_forwarders"
the others haven't any event in "summary_forwarders" index.
My indexer01 also acts as a deployment server for other Splunk instances.
Can you show me the problem i get and how to use the deployment monitoring apps in my architecture ?
I've had the same kind of issue. Basically, that intermediate forwarder won't forward data for the
_internal index. You will need whitelist that.
Here is my question and solution.
In short, add this to
etc/system/local/outputs.conf on your intermediate forwarder:
[tcpout] forwardedindex.3.whitelist = _internal
Hope it helps. Let me know.
(Update: incorrectly specified inputs.conf. Real file is outputs.conf)
I see you're using selective indexing. I don't know how well that mixes with the whitelist, since the whitelist can only be specified under
So, anything using the default routing is dropped, basically. Perhaps you should specify
_TCP_ROUTING for your internal logs?
I'm afraid you're using features I'm unfamiliar with, so I may be off the mark here.
defaultGroup = noforward
forwardedindex.3.whitelist = _internal
it doesn't work, even i put this option in each tcpout, i don't know where to place that option.
My bad! The correct file is actually outputs.conf and not inputs.conf.
It will take a while for the information to get through, since the deployment monitor is using summary indexes.
(The original answer has been corrected.)
I did what you suggested but i only see the imtermediate forwarder in indexer, but don't see other UFs . Do i need to activate that option in UFs ? in order to see thoroughly architecture