Deployment Architecture

Forward all the data to another Splunk Instance

mbarbaro
Path Finder

Hello Guys,

i need help to solve an issue. I have 1 Splunk Enteprise installation in one place, and another Splunk enterprise in another place but in the same network segment. Would be possible to forward all the data that are stored into the Splunk A to Splunk B without loose any information ?

That's because in Splunk A we are already indexing data from our infrasctructure. i would like to replicate everything into the Splunk B.

Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you're wanting to shut down indexer A when you're done.

You could stop Splunk on indexer A, copy /opt/splunk/ to indexer B.

Then re-ip indexer B with the ip of indexer A.

You'd probably lose some incoming data with this approach but you wouldn't lose already indexed data.

0 Karma

woodcock
Esteemed Legend

You have 3 options:
1: Index clustering which merges the Indexer Tiers
2: Index and Forward from Indexer Tier A to Indexer Tier B
3: Multi-Forward from the source to both Indexer Tier A and Indexer Tier B

But this assumes that you are talking about FUTURE data, however I suspect that you are talking about already-indexed PAST data. This can be done but it is unsupported hackery and generally not worth the effort and risk. What EXACTLY do you need to do?

0 Karma

Richfez
SplunkTrust
SplunkTrust

You could set up your forwarders to forward to both servers via your outputs.conf file on them. In that case, in your target group stanza you just set up multiple indexers and they'll all receive the data.

It would look like this:

Forwarder -> indexer1
          -> indexer2

It is not the only way to configure this, though. You could also forward the data coming in from one indexer and duplicate it to the other, which is more like you describe. That would be some variant of doing things like in this section of the docs on routing and filtering data and would look like:

Forwarder -> indexer1 -> indexer2

But in both cases you are duplicating your license needs as well.

I think the best option - if it works for your needs, at least, and which does NOT use extra license - is to just let your second search head search the first indexer. Then you won't duplicate data, but depending on permissions all the stuff will be completely searchable from either system.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...