Deployment Architecture

Help needed for Splunk Index and Forward setup

somesoni2
Revered Legend

Hi,

I have following instances in my environment.

5 - Forwarders - Splunk 5.0.5
1 - Indexer - Splunk 5.0.5
1 - Indexer - Splunk 6.0

All forwarders are setup to forward data to Indexer 5.0.5 on port 9997 and they are working fine.

What I want to do now is the configure Indexer 5.0.5 for "Index and Forward" options so that it will store events from all forwarders locally as well as forward it to Indexer 6.0.

All instances are using SSL connection.
Could anyone tell me what all configurations are required to do the same and which instance should be configured in what way?

I have tried following so far with no luck [Splunk Indexer 6.0 is configured to receive on port 9998 for all]

  1. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, restarted Indexer 5.0.5 - didn't work
  2. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 5.0.5, restarted Indexer 5.0.5, didn't work.

    [splunktcp://9997]
    connection_host = none

  3. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 6.0, restarted both Indexer 5.0.5 and Indexer 6.0 , didn't work.

    [splunktcp://9998]
    connection_host = none

Appreciate your help here. Got stuck for so long.

0 Karma
1 Solution

somesoni2
Revered Legend

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

View solution in original post

0 Karma

somesoni2
Revered Legend

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...