logs from such servers, are covered under "myIndex1" with repFactor as
repfactor = auto
Above Configurations works fine.
For Other set of Forwarder servers, we do not have indexer-discovery enabled. And outputs.conf looks like-
defaultGroup = indexer1,indexer2,indexer3,indexer4
server = 10.20.30.41:9997
server = 10.20.30.42:9997
server = 10.20.30.43:9997
server = 10.20.30.44:9997
logs from such servers, are covered under "myIndex2".
When i set "repfactor = auto" for "myIndex2", on Search Head, i can see 4 events for each logs.
What Configuration should i set for "myIndex2" when i am specifically sending logs to all of the indexer servers of Indexer Cluster.
It is not possible for me to send logs to master uri here. And i cant just send logs to only one of the indexer as i want to keep things fail safe.
Sending data to four indexers also impacts you. It's four times the license usage and you lose out on the security replication offers.
Consider setting the useACK = true setting in inputs.conf. This will ensure the data is indexed before the forwarder moves on.
Also consider using indexer discovery. This is where the cluster master tells the forwarders which indexer to use and is helpful when an indexer is down.
Don't take down multiple Splunk servers at the same time, especially those in the same tier (indexer, search head, etc.). When an indexer is brought back on-line, allow time for rebalancing to occur before bringing down the next indexer.
--- If this reply helps you, an upvote would be appreciated.