Deployment Architecture

Forwarding from one indexer to another

Path Finder

I have one search-head and two indexers (let's call indexer1 and indexer2). Clients are sending all syslog to indexer1:514. Is it possible to set up forwarding on indexer1, that it will forward half of syslog data to the indexer2? I want to balance that data on two servers.

Tags (1)
0 Karma

Path Finder

I did the indexing and forwarding with props/transforms/outputs at on indexer and inputs on the destination but it does forward only newly indexed data.

There´s any way to forward old indexed data right before starting the indexing and forwarding config ?

0 Karma


No, there is not.

0 Karma


Setup a load balancer for the 2 indexers and you will get a load balanced DNS name or IP.
Make the Clients to forward data to the load balanced IP or DNS. (This you need to setup in outputs.conf of all the forwarders/Clients)
Later , all the forwarders forwards the data to the load-balancer - which takes the job of balancing the load.

0 Karma

Path Finder

The point is that users dont use splunk forwarders to send syslog. They use for example tattle or other stuff that doesn't support loadbalancing and they can set up only one destination address.
I was thinking about running splunk forwarder on some machine, set listening on port 514 and then configure forwarding all received data to idexers with parameters:
autoLB = true
autoLBFrequency = 30

How about that? Will it work? Is it possible?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...