Deployment Architecture

Forward all the data to another Splunk Instance

mbarbaro
Path Finder

Hello Guys,

i need help to solve an issue. I have 1 Splunk Enteprise installation in one place, and another Splunk enterprise in another place but in the same network segment. Would be possible to forward all the data that are stored into the Splunk A to Splunk B without loose any information ?

That's because in Splunk A we are already indexing data from our infrasctructure. i would like to replicate everything into the Splunk B.

Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you're wanting to shut down indexer A when you're done.

You could stop Splunk on indexer A, copy /opt/splunk/ to indexer B.

Then re-ip indexer B with the ip of indexer A.

You'd probably lose some incoming data with this approach but you wouldn't lose already indexed data.

0 Karma

woodcock
Esteemed Legend

You have 3 options:
1: Index clustering which merges the Indexer Tiers
2: Index and Forward from Indexer Tier A to Indexer Tier B
3: Multi-Forward from the source to both Indexer Tier A and Indexer Tier B

But this assumes that you are talking about FUTURE data, however I suspect that you are talking about already-indexed PAST data. This can be done but it is unsupported hackery and generally not worth the effort and risk. What EXACTLY do you need to do?

0 Karma

Richfez
SplunkTrust
SplunkTrust

You could set up your forwarders to forward to both servers via your outputs.conf file on them. In that case, in your target group stanza you just set up multiple indexers and they'll all receive the data.

It would look like this:

Forwarder -> indexer1
          -> indexer2

It is not the only way to configure this, though. You could also forward the data coming in from one indexer and duplicate it to the other, which is more like you describe. That would be some variant of doing things like in this section of the docs on routing and filtering data and would look like:

Forwarder -> indexer1 -> indexer2

But in both cases you are duplicating your license needs as well.

I think the best option - if it works for your needs, at least, and which does NOT use extra license - is to just let your second search head search the first indexer. Then you won't duplicate data, but depending on permissions all the stuff will be completely searchable from either system.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...