Hello Guys,
i need help to solve an issue. I have 1 Splunk Enteprise installation in one place, and another Splunk enterprise in another place but in the same network segment. Would be possible to forward all the data that are stored into the Splunk A to Splunk B without loose any information ?
That's because in Splunk A we are already indexing data from our infrasctructure. i would like to replicate everything into the Splunk B.
Thanks
If you're wanting to shut down indexer A when you're done.
You could stop Splunk on indexer A, copy /opt/splunk/ to indexer B.
Then re-ip indexer B with the ip of indexer A.
You'd probably lose some incoming data with this approach but you wouldn't lose already indexed data.
You have 3 options:
1: Index clustering which merges the Indexer Tiers
2: Index and Forward from Indexer Tier A to Indexer Tier B
3: Multi-Forward from the source to both Indexer Tier A and Indexer Tier B
But this assumes that you are talking about FUTURE data, however I suspect that you are talking about already-indexed PAST data. This can be done but it is unsupported hackery and generally not worth the effort and risk. What EXACTLY do you need to do?
You could set up your forwarders to forward to both servers via your outputs.conf
file on them. In that case, in your target group stanza you just set up multiple indexers and they'll all receive the data.
It would look like this:
Forwarder -> indexer1
-> indexer2
It is not the only way to configure this, though. You could also forward the data coming in from one indexer and duplicate it to the other, which is more like you describe. That would be some variant of doing things like in this section of the docs on routing and filtering data and would look like:
Forwarder -> indexer1 -> indexer2
But in both cases you are duplicating your license needs as well.
I think the best option - if it works for your needs, at least, and which does NOT use extra license - is to just let your second search head search the first indexer. Then you won't duplicate data, but depending on permissions all the stuff will be completely searchable from either system.