I have one search-head and two indexers (let's call indexer1 and indexer2). Clients are sending all syslog to indexer1:514. Is it possible to set up forwarding on indexer1, that it will forward half of syslog data to the indexer2? I want to balance that data on two servers.
I did the indexing and forwarding with props/transforms/outputs at on indexer and inputs on the destination but it does forward only newly indexed data.
There´s any way to forward old indexed data right before starting the indexing and forwarding config ?
No, there is not.
Setup a load balancer for the 2 indexers and you will get a load balanced DNS name or IP.
Make the Clients to forward data to the load balanced IP or DNS. (This you need to setup in outputs.conf of all the forwarders/Clients)
Later , all the forwarders forwards the data to the load-balancer - which takes the job of balancing the load.
The point is that users dont use splunk forwarders to send syslog. They use for example tattle or other stuff that doesn't support loadbalancing and they can set up only one destination address.
I was thinking about running splunk forwarder on some machine, set listening on port 514 and then configure forwarding all received data to idexers with parameters:
autoLB = true
autoLBFrequency = 30
How about that? Will it work? Is it possible?