Hi,
I have following instances in my environment.
5 - Forwarders - Splunk 5.0.5
1 - Indexer - Splunk 5.0.5
1 - Indexer - Splunk 6.0
All forwarders are setup to forward data to Indexer 5.0.5 on port 9997 and they are working fine.
What I want to do now is the configure Indexer 5.0.5 for "Index and Forward" options so that it will store events from all forwarders locally as well as forward it to Indexer 6.0.
All instances are using SSL connection.
Could anyone tell me what all configurations are required to do the same and which instance should be configured in what way?
I have tried following so far with no luck [Splunk Indexer 6.0 is configured to receive on port 9998 for all]
Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 5.0.5, restarted Indexer 5.0.5, didn't work.
[splunktcp://9997]
connection_host = none
Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 6.0, restarted both Indexer 5.0.5 and Indexer 6.0 , didn't work.
[splunktcp://9998]
connection_host = none
Appreciate your help here. Got stuck for so long.
Resolved. With following configuration.
Splunk 6.0 Indexer
Inputs.conf
[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false
[splunktcp-ssl:9998]
compressed = true
Splunk 5.0 Indexer
outputs.conf
[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false
[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false
useACK = true
sendCookedData = true
Restarted both indexers and boom.
Resolved. With following configuration.
Splunk 6.0 Indexer
Inputs.conf
[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false
[splunktcp-ssl:9998]
compressed = true
Splunk 5.0 Indexer
outputs.conf
[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false
[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false
useACK = true
sendCookedData = true
Restarted both indexers and boom.