Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lost all indexes

satiex
Explorer
‎06-07-2018 01:14 AM

Hi,

I created an App on my Splunk indexer which had a props.conf, outputs.conf and transforms.conf with the following data: 

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

Edit $SPLUNK_HOME/etc/system/local/transforms.conf and add the following text:

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

Edit $SPLUNK_HOME/etc/system/local/outputs.conf and add the following text:

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=10.1.12.1:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=10.1.12.2:1234

I then restarted my Splunk service and it froze while restarting. It then appeared that my server had frozen, so I restarted the server on the hypervisor level after waiting some time with splunk not coming back online.

Once it was back online, I realised that all Indexes were completely wiped from the mount point, and the indexes reset and started populating with new data coming from the heavy forwarder.

Is there any way that changes to conf files could have done this? Or could this have happened if the server crashed while Splunk was restarting?

Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎06-07-2018 06:44 AM

outputs.conf on the indexers is a really bad idea ...
you literally tell the indexer to ship its data out

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎06-07-2018 06:44 AM

outputs.conf on the indexers is a really bad idea ...
you literally tell the indexer to ship its data out

0 Karma
Reply
Solved! Jump to solution

satiex
Explorer
‎06-07-2018 04:05 PM

I see. It sounds like that is what happened.

What I'm trying to accomplish is "Replicate a subset of data to a third-party system" from this page: http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad

HF recieves data via syslog from a source. I want to filter the syslog from that source and send a subset of that to another syslog server.

I will create a new ticket to ask about how to achieve this, as the example given is for forwarding raw data only from the HF. It says that if you want to forward syslog data it needs to be output from an indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...