Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

send data from heavy forwarder to peer index

Prakhar_shukla
Path Finder
‎03-31-2017 03:23 AM

Hello, I need to send specify log file data from HF to a specify index on peer.

bash-4.2$ more inputs.conf

[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test

bash-4.2$ more outputs.conf

[tcpout:APCHA]
server = cluser-peer.splunk.com:9997

I have already created a index in my cluser-peer.splunk.com server. index = test

After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2017 05:02 AM

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2017 05:02 AM

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-02-2017 09:04 PM

thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-31-2017 02:27 PM

The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎03-31-2017 06:54 AM

Hello cusello, in search head i am getting data but it is very weird.

1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file

0 Karma
Reply
Solved! Jump to solution

3no
Communicator
‎03-31-2017 04:52 AM

Hi,
Are you sure it's cluser ? And not cluster ?

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...