Deployment Architecture

Help needed for Splunk Index and Forward setup

somesoni2
Revered Legend

Hi,

I have following instances in my environment.

5 - Forwarders - Splunk 5.0.5
1 - Indexer - Splunk 5.0.5
1 - Indexer - Splunk 6.0

All forwarders are setup to forward data to Indexer 5.0.5 on port 9997 and they are working fine.

What I want to do now is the configure Indexer 5.0.5 for "Index and Forward" options so that it will store events from all forwarders locally as well as forward it to Indexer 6.0.

All instances are using SSL connection.
Could anyone tell me what all configurations are required to do the same and which instance should be configured in what way?

I have tried following so far with no luck [Splunk Indexer 6.0 is configured to receive on port 9998 for all]

  1. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, restarted Indexer 5.0.5 - didn't work
  2. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 5.0.5, restarted Indexer 5.0.5, didn't work.

    [splunktcp://9997]
    connection_host = none

  3. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 6.0, restarted both Indexer 5.0.5 and Indexer 6.0 , didn't work.

    [splunktcp://9998]
    connection_host = none

Appreciate your help here. Got stuck for so long.

0 Karma
1 Solution

somesoni2
Revered Legend

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

View solution in original post

0 Karma

somesoni2
Revered Legend

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!