Deployment Architecture

Forwarding from one indexer to another

Path Finder

I have one search-head and two indexers (let's call indexer1 and indexer2). Clients are sending all syslog to indexer1:514. Is it possible to set up forwarding on indexer1, that it will forward half of syslog data to the indexer2? I want to balance that data on two servers.

Tags (1)
0 Karma


I did the indexing and forwarding with props/transforms/outputs at on indexer and inputs on the destination but it does forward only newly indexed data.

There´s any way to forward old indexed data right before starting the indexing and forwarding config ?

0 Karma


No, there is not.

0 Karma


Setup a load balancer for the 2 indexers and you will get a load balanced DNS name or IP.
Make the Clients to forward data to the load balanced IP or DNS. (This you need to setup in outputs.conf of all the forwarders/Clients)
Later , all the forwarders forwards the data to the load-balancer - which takes the job of balancing the load.

0 Karma

Path Finder

The point is that users dont use splunk forwarders to send syslog. They use for example tattle or other stuff that doesn't support loadbalancing and they can set up only one destination address.
I was thinking about running splunk forwarder on some machine, set listening on port 514 and then configure forwarding all received data to idexers with parameters:
autoLB = true
autoLBFrequency = 30

How about that? Will it work? Is it possible?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...