Hi,
I have one index server "A" and another one "B".
For a while I had few forwarders to send data to "A" (each forwarder data to specific index).
Now, I need to point one of the forwarders (let's call it "C") to "B".
I have added an index of "C" to "B" (same as on "A"), changed "C"'s outputs.conf to send data to "B", restarted both B and C...
I see connection from C to B, but no data is being sent.
To add some complexity - using SSL, so the data is encrypted and compressed.
I cannot find any traces of the problem in the logs, even in debug mode.
If you had been there - Your help is greatly appreciated!
Thank you, ildus
Well, it is embarrassing to admit... I had a small typo in inputs.conf
thank you for your help! I still did not get it to work, but I know it is SSL Certs issue now. My typo was in inputs.conf on server B and I simply overlooked an error 'Can't read certificate file'...
Well, it is embarrassing to admit... I had a small typo in inputs.conf
If you don't see anything in the logs - it may be worth verifying the new index is available as a 'selected index' for the admin role (via the Manager).
The roles are not defined yet, all done under admin role.
I have generated the SSL certs and keys (really good answer on SSL setup is here: http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...), no errors connecting forwarder to index server (although I suspect the problem might be here somewhere).
thank you, ildus
When you created index "C" to indexer "B" did you also update the roles so that they searched index "C" by default?
Are you using the Splunk default certs for SSL or custom?