Getting Data In

Can i tcpout to multiple servers with output.conf file?

uktechnologyser
Path Finder

Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 indexers).

I am deploying the 'sendtoindexer' app from my deployment server and as part of that i need to configure the following in the outputs.conf file for the app.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<port>

[tcpout-server://<indexer_hostname_or_ip_address>:<port>]

WIll this format work? I want to send data to both of my indexers as they are clustered. Or will that create duplicate data once they start replicating?

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.1.4.32:9997,10.1.4.33:9997

[tcpout-server://10.1.4.32:9997,10.1.4.33:9997]

I have setup receiving on the indexers already so its just the format i need to enable the forwarder(s) to send the information correctly. I am also running without a licence at the moment, we plan to purchase Enterprise this month. Would that disable any features for this type of setup?

Thanks in advance,

Jay

0 Karma
1 Solution

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

View solution in original post

0 Karma

uktechnologyser
Path Finder

I was told to change my outputs.conf file to this:

[tcpout]
defaultGroup = My_Cluster_1

[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997

I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.

0 Karma

somesoni2
Revered Legend

You can configure load balance between indexer like this

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996

[tcpout-server://mysplunk_indexer1:9997]

[tcpout-server://mysplunk_indexer2:9997]

MOre details here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd

0 Karma

uktechnologyser
Path Finder

Thanks very much.

I have have separated my indexers out with the format you suggested. Not sure if this is working yet as i am still going through the set-up, ill let you know how i get on.

Cheers,

Jay

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...