Deployment Architecture

send data from heavy forwarder to peer index

Prakhar_shukla
Path Finder

Hello, I need to send specify log file data from HF to a specify index on peer.

bash-4.2$ more inputs.conf

[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test

bash-4.2$ more outputs.conf

[tcpout:APCHA]
server = cluser-peer.splunk.com:9997

I have already created a index in my cluser-peer.splunk.com server. index = test

After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

Prakhar_shukla
Path Finder

thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work

0 Karma

woodcock
Esteemed Legend

The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.

0 Karma

Prakhar_shukla
Path Finder

Hello cusello, in search head i am getting data but it is very weird.

1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file

0 Karma

3no
Communicator

Hi,
Are you sure it's cluser ? And not cluster ?

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...