Getting Data In

Can i tcpout to multiple servers with output.conf file?

uktechnologyser
Path Finder

Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 indexers).

I am deploying the 'sendtoindexer' app from my deployment server and as part of that i need to configure the following in the outputs.conf file for the app.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<port>

[tcpout-server://<indexer_hostname_or_ip_address>:<port>]

WIll this format work? I want to send data to both of my indexers as they are clustered. Or will that create duplicate data once they start replicating?

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.1.4.32:9997,10.1.4.33:9997

[tcpout-server://10.1.4.32:9997,10.1.4.33:9997]

I have setup receiving on the indexers already so its just the format i need to enable the forwarder(s) to send the information correctly. I am also running without a licence at the moment, we plan to purchase Enterprise this month. Would that disable any features for this type of setup?

Thanks in advance,

Jay

0 Karma
1 Solution

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

View solution in original post

0 Karma

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can configure load balance between indexer like this

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996

[tcpout-server://mysplunk_indexer1:9997]

[tcpout-server://mysplunk_indexer2:9997]

MOre details here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd

0 Karma

uktechnologyser
Path Finder

Thanks very much.

I have have separated my indexers out with the format you suggested. Not sure if this is working yet as i am still going through the set-up, ill let you know how i get on.

Cheers,

Jay

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...