Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarding from one indexer to another

bckq
Path Finder
‎11-27-2013 07:24 PM

I have one search-head and two indexers (let's call indexer1 and indexer2). Clients are sending all syslog to indexer1:514. Is it possible to set up forwarding on indexer1, that it will forward half of syslog data to the indexer2? I want to balance that data on two servers.

Tags (1)
0 Karma
Reply

theunf
Communicator
‎09-02-2014 01:21 AM

I did the indexing and forwarding with props/transforms/outputs at on indexer and inputs on the destination but it does forward only newly indexed data.

There´s any way to forward old indexed data right before starting the indexing and forwarding config ?

0 Karma
Reply

Ayn
Legend
‎09-02-2014 01:24 AM

No, there is not.

0 Karma
Reply

chimbudp
Contributor
‎11-27-2013 10:43 PM

Setup a load balancer for the 2 indexers and you will get a load balanced DNS name or IP.
Make the Clients to forward data to the load balanced IP or DNS. (This you need to setup in outputs.conf of all the forwarders/Clients)
Later , all the forwarders forwards the data to the load-balancer - which takes the job of balancing the load.

0 Karma
Reply

bckq
Path Finder
‎11-28-2013 03:42 PM

The point is that users dont use splunk forwarders to send syslog. They use for example tattle or other stuff that doesn't support loadbalancing and they can set up only one destination address.
I was thinking about running splunk forwarder on some machine, set listening on port 514 and then configure forwarding all received data to idexers with parameters:
autoLB = true
autoLBFrequency = 30

How about that? Will it work? Is it possible?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...