Developing for Splunk Enterprise

Build in a development environment

ccsfdave
Builder

Greetings,

There must be some cookbook out there but I can't seem to find it. I have a 3 VM environment of a forwarder, indexer, and search head. I would like to create another VM for development. Can someone give me a general step by step of how to set up the 4th VM to act as a development environment doing its own indexing and searching of the logs collected by the forwarder?

Thanks for the help.

Dave

Tags (1)
0 Karma

chris
Motivator

On your forwarder you will have to configure your outputs to clone the events

outputs.conf

[tcpout]
defaultGroup = indexer_vm, dev_vm


[tcpout:indexer_vm]
server=Y.Y.Y.Y:9997

[tcpout:dev_vm]
server=X.X.X.X:9997

On your 4th VM just install Splunk and set it up like the indexer so it will listen on tcp:9997 you don't need to set up distributed searching because everything is done on one server. You might have to set the license server if you have that configured.

If you need more information let me know.

0 Karma

chris
Motivator

Hi I updated the answer. If you deploy the outputs.conf to your forwarder from the search head then thats where you have to make the change.

0 Karma

ccsfdave
Builder

Chris,

What do I do about this:

[tcpout]
defaultGroup = primary_indexers

BTW, this is on my search head which is the deployment server. Is that where I should add the above:

[tcpout]
defaultGroup = primary_indexers

Thanks,

Dave

0 Karma