Greetings,
There must be some cookbook out there but I can't seem to find it. I have a 3 VM environment of a forwarder, indexer, and search head. I would like to create another VM for development. Can someone give me a general step by step of how to set up the 4th VM to act as a development environment doing its own indexing and searching of the logs collected by the forwarder?
Thanks for the help.
Dave
On your forwarder you will have to configure your outputs to clone the events
outputs.conf
[tcpout]
defaultGroup = indexer_vm, dev_vm
[tcpout:indexer_vm]
server=Y.Y.Y.Y:9997
[tcpout:dev_vm]
server=X.X.X.X:9997
On your 4th VM just install Splunk and set it up like the indexer so it will listen on tcp:9997 you don't need to set up distributed searching because everything is done on one server. You might have to set the license server if you have that configured.
If you need more information let me know.
Hi I updated the answer. If you deploy the outputs.conf to your forwarder from the search head then thats where you have to make the change.
Chris,
What do I do about this:
[tcpout]
defaultGroup = primary_indexers
BTW, this is on my search head which is the deployment server. Is that where I should add the above:
[tcpout]
defaultGroup = primary_indexers
Thanks,
Dave