Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward all the data to another Splunk Instance

mbarbaro
Path Finder
‎08-06-2017 02:52 AM

Hello Guys,

i need help to solve an issue. I have 1 Splunk Enteprise installation in one place, and another Splunk enterprise in another place but in the same network segment. Would be possible to forward all the data that are stored into the Splunk A to Splunk B without loose any information ?

That's because in Splunk A we are already indexing data from our infrasctructure. i would like to replicate everything into the Splunk B.

Thanks

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-06-2017 05:52 AM

If you're wanting to shut down indexer A when you're done.

You could stop Splunk on indexer A, copy /opt/splunk/ to indexer B.

Then re-ip indexer B with the ip of indexer A.

You'd probably lose some incoming data with this approach but you wouldn't lose already indexed data.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-06-2017 05:22 AM

You have 3 options:
1: Index clustering which merges the Indexer Tiers
2: Index and Forward from Indexer Tier A to Indexer Tier B
3: Multi-Forward from the source to both Indexer Tier A and Indexer Tier B

But this assumes that you are talking about FUTURE data, however I suspect that you are talking about already-indexed PAST data. This can be done but it is unsupported hackery and generally not worth the effort and risk. What EXACTLY do you need to do?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-06-2017 05:19 AM

You could set up your forwarders to forward to both servers via your outputs.conf file on them. In that case, in your target group stanza you just set up multiple indexers and they'll all receive the data.

It would look like this:

Forwarder -> indexer1
          -> indexer2

It is not the only way to configure this, though. You could also forward the data coming in from one indexer and duplicate it to the other, which is more like you describe. That would be some variant of doing things like in this section of the docs on routing and filtering data and would look like:

Forwarder -> indexer1 -> indexer2

But in both cases you are duplicating your license needs as well.

I think the best option - if it works for your needs, at least, and which does NOT use extra license - is to just let your second search head search the first indexer. Then you won't duplicate data, but depending on permissions all the stuff will be completely searchable from either system.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...