Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Help needed for Splunk Index and Forward setup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have following instances in my environment.
5 - Forwarders - Splunk 5.0.5
1 - Indexer - Splunk 5.0.5
1 - Indexer - Splunk 6.0
All forwarders are setup to forward data to Indexer 5.0.5 on port 9997 and they are working fine.
What I want to do now is the configure Indexer 5.0.5 for "Index and Forward" options so that it will store events from all forwarders locally as well as forward it to Indexer 6.0.
All instances are using SSL connection.
Could anyone tell me what all configurations are required to do the same and which instance should be configured in what way?
I have tried following so far with no luck [Splunk Indexer 6.0 is configured to receive on port 9998 for all]
- Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, restarted Indexer 5.0.5 - didn't work
Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 5.0.5, restarted Indexer 5.0.5, didn't work.
[splunktcp://9997]
connection_host = noneAdded forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 6.0, restarted both Indexer 5.0.5 and Indexer 6.0 , didn't work.
[splunktcp://9998]
connection_host = none
Appreciate your help here. Got stuck for so long.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved. With following configuration.
Splunk 6.0 Indexer
Inputs.conf
[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false
[splunktcp-ssl:9998]
compressed = true
Splunk 5.0 Indexer
outputs.conf
[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false
[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false
useACK = true
sendCookedData = true
Restarted both indexers and boom.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved. With following configuration.
Splunk 6.0 Indexer
Inputs.conf
[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false
[splunktcp-ssl:9998]
compressed = true
Splunk 5.0 Indexer
outputs.conf
[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false
[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false
useACK = true
sendCookedData = true
Restarted both indexers and boom.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
