Deployment Architecture

Forward data to indexer cluster

RanjithaN99
Explorer

Hi,

I am working in a distributed Splunk environment with one search head and an indexer cluster.

I am trying to monitor a path that is on the search head and I created a monitor input from the web GUI.

How do I create an index on the indexer cluster and configure forwarding from the search head to the indexer cluster.

Please help me.

Thanks 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RanjithaN99,

Indexer Cluster is managed by the Cluster Manager so you have to create the new indexes.conf in this server that deploys it to the indexers; for more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Aboutclusters

in few words, you have to create a stanza in indexes.conf with the new index using the CLI and push the configuration using GUI.

For data forwarding from te SH to the Indexers, you should already have this configuration because it's a best practice to send internal logs from all the Splunk servers to Indexers.

If not go in [Settings > Forwarding and Receiving > Forwarding] and configure Forwarding.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...