Solved: Can a forwarder be configured to two indexers with...

mce128 · ‎10-19-2012

I have tried quite unsuccessfully to search for an answer to achieve this configuration, so I'm asking here. Hopefully someone has a suggestion/solution to my kind of unusual configuration requirement.

Is it possible to configure a forwarder to send to two separate indexers without load balancing, so that both indexers receive all the data independently?

I understand this is an atypical situation, however, this is something I need to achieve. The indexers will be unable to communicate with each other and will be combined indexer/search heads, so they can't share the received data or be searched in a distributed fashion.

I would suppose it would be possible to run two forwarders on the monitored host(s) one forwarding out to each indexer, but this would be a I/O hog and wasteful of system resources. As a result it would be highly desirable to send to both indexers from a single instance of the forwarder on the monitored host.

Has anyone done this? Is it even possible?

Thanks,
Joe

Ayn · ‎10-19-2012

Sure.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configureforwarderswithoutputs.confd#Data_clo...

View solution in original post

Ayn · ‎10-19-2012

Sure.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configureforwarderswithoutputs.confd#Data_clo...

mce128 · ‎10-19-2012

WOW... Don't know how I missed THAT in the docs...

Thanks!

Can a forwarder be configured to two indexers without load balancing?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?