Deployment Architecture

Forward all the data to another Splunk Instance

Path Finder

Hello Guys,

i need help to solve an issue. I have 1 Splunk Enteprise installation in one place, and another Splunk enterprise in another place but in the same network segment. Would be possible to forward all the data that are stored into the Splunk A to Splunk B without loose any information ?

That's because in Splunk A we are already indexing data from our infrasctructure. i would like to replicate everything into the Splunk B.


0 Karma


If you're wanting to shut down indexer A when you're done.

You could stop Splunk on indexer A, copy /opt/splunk/ to indexer B.

Then re-ip indexer B with the ip of indexer A.

You'd probably lose some incoming data with this approach but you wouldn't lose already indexed data.

0 Karma

Esteemed Legend

You have 3 options:
1: Index clustering which merges the Indexer Tiers
2: Index and Forward from Indexer Tier A to Indexer Tier B
3: Multi-Forward from the source to both Indexer Tier A and Indexer Tier B

But this assumes that you are talking about FUTURE data, however I suspect that you are talking about already-indexed PAST data. This can be done but it is unsupported hackery and generally not worth the effort and risk. What EXACTLY do you need to do?

0 Karma


You could set up your forwarders to forward to both servers via your outputs.conf file on them. In that case, in your target group stanza you just set up multiple indexers and they'll all receive the data.

It would look like this:

Forwarder -> indexer1
          -> indexer2

It is not the only way to configure this, though. You could also forward the data coming in from one indexer and duplicate it to the other, which is more like you describe. That would be some variant of doing things like in this section of the docs on routing and filtering data and would look like:

Forwarder -> indexer1 -> indexer2

But in both cases you are duplicating your license needs as well.

I think the best option - if it works for your needs, at least, and which does NOT use extra license - is to just let your second search head search the first indexer. Then you won't duplicate data, but depending on permissions all the stuff will be completely searchable from either system.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...