Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Disable AutoLB in Splunk UniversalForwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable AutoLB in Splunk UniversalForwarder
Hello,
I have a setup similar to the example shown in this page, we noticed that the firewalls showing systematic tcp session breakdown/rebuild. So it looks like the the default setting of autoLBFrequency=30 is in use.
Further it looks like in the newer versions of the Splunk UF which we are on have deprecated the disabling LB functionality.
Can I set this setting to 86400 or something like that so that it doesn't break and recreate connections all the time? Are there any pitfalls with this approach? Are there any other hacks that will allow me to disable LB which makes no sense if a group has just 1 IDX in it?
https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configureforwardingwithoutputs.conf
[tcpout] defaultGroup=indexer1,indexer2 [tcpout:indexer1] server=10.1.1.197:9997 [tcpout:indexer2] server=10.1.1.200:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @govardha
I don't understand very well your question, anyway the configuration you shared on your message is not for the load balancing but for clonining the data across the 2 indexers
to use the load balancing check this configuration
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=10.1.1.197:9997, 10.1.1.200:9997anyway if your want cloning the data without the load-balancing your configuration works well.
or another option you can configure cluster replication across the 2 indexers and send the data to only 1, but doesn't make sense
I hope this is useful for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @aasabatini
Thank you for your response. I just wanted to show you my configs and how the UF is behaving.
I don't want to introduce a clustered set up, I have a distributed set up with 1 SHD + 1 IDX in 2 disparate data centers. Our Splunk needs are quite simplistic, and this set up worked out best for my firm from a cost & maintenance perspective.
Although the UF just knows to hit the 2 IDX'ers it behaves as it is if load balancing that one indexer every 30 seconds.
I hope that makes sense. Looking forward to your response.
Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
