Getting Data In

Can i tcpout to multiple servers with output.conf file?

uktechnologyser
Path Finder

Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 indexers).

I am deploying the 'sendtoindexer' app from my deployment server and as part of that i need to configure the following in the outputs.conf file for the app.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<port>

[tcpout-server://<indexer_hostname_or_ip_address>:<port>]

WIll this format work? I want to send data to both of my indexers as they are clustered. Or will that create duplicate data once they start replicating?

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.1.4.32:9997,10.1.4.33:9997

[tcpout-server://10.1.4.32:9997,10.1.4.33:9997]

I have setup receiving on the indexers already so its just the format i need to enable the forwarder(s) to send the information correctly. I am also running without a licence at the moment, we plan to purchase Enterprise this month. Would that disable any features for this type of setup?

Thanks in advance,

Jay

0 Karma
1 Solution

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

View solution in original post

0 Karma

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

0 Karma

somesoni2
Revered Legend

You can configure load balance between indexer like this

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996

[tcpout-server://mysplunk_indexer1:9997]

[tcpout-server://mysplunk_indexer2:9997]

MOre details here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd

0 Karma

uktechnologyser
Path Finder

Thanks very much.

I have have separated my indexers out with the format you suggested. Not sure if this is working yet as i am still going through the set-up, ill let you know how i get on.

Cheers,

Jay

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...