Configure forwarding data to two tcpout groups wit...

jg91 · ‎12-16-2022

Is it possible to configure heavy forwarders to send data to two tcpout groups (A,B) (outputs.conf) and don't block on group B failure?

We want to send all data to group A, and a subset of data (specific sourcetypes) to group B, but group B is in a remote location and our link to that location is not fully stable and we don't want to event loss in group A on link failures or group B failures.

[tcpout]

[tcpout:groupA]
server=indexerA1_ip:9997,indexerA2_ip:9997

[tcpout:groupB]
server=indexerB_ip:9997

gcusello · ‎12-16-2022

@jg91,

yes it should be possible: you have to configure a fork to send data to two groups of indexers following the instructons at https://docs.splunk.com/Documentation/Splunk/9.0.2/Forwarding/Routeandfilterdatad#Filter_and_route_e...

Sincerely I never tested this situation but If one group isn't available HF should cache those data and send them to the second group when available.

Ciao.

Giuseppe

Configure forwarding data to two tcpout groups without blocking on group failure.

heavy forwarder

indexer

intermediate forwarder

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?