Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I clone all data received from one indexer to another indexer?

andrew207
Path Finder
‎09-13-2022 11:17 PM

Hello,

I have one indexer cluster that receives data over inputs.conf [splunktcp://9997].

I want to clone all data received by this indexer cluster on this port to another Splunk instance, which also listens on 9997. I understand this will double my license consumption.

Current: UF --> Indexer (stores all data)

Desire: UF --> Indexer (stores all data) --> Other Indexer (also stores all data)

How can I clone all data received on 9997 from one indexer to another?

Thanks

Labels (3)
0 Karma
Reply

gcusello
Esteemed Legend
‎09-13-2022 11:26 PM

Hi @andrew207,

you can create a fork on your UF to send data to both Cluster and additional Indexes.

You have to add a group to outputs.conf, something like this:

[tcpout]
defaultGroup=indexer_cluster,Other_indexer

[tcpout:indexer_cluster]
server=xxx.xxx.xxx.xxx:9997

[tcpout:other_indexer]
server=yyy.yyy.yyy.yyy:9997

In other words, add both the addressing of the Cluster and the other Indexers.

Ciao.

Giuseppe

0 Karma
Reply

andrew207
Path Finder
‎09-13-2022 11:29 PM

Hello @gcusello 

I am performing the cloning from a source indexer, not from a uf. This means there is currently no outputs.conf configured, and your answer does not work.

Thanks

 

0 Karma
Reply

gcusello
Esteemed Legend
‎09-13-2022 11:40 PM

Hi @andrew207,

if you want to clone all the data of an Indexers sending them to another, you have only to configure your indexers to Forward data to another Indexes and locally store a copy of the files.

You can do this by GUI [Settings -- Forwarding and Receiving -- Forwarding]

It surely runs on a single Indexer, I never tried with a Cluster, but it should run.

Check if configuring for Forwarding only one peer of the Cluster you forward all the data or (as I suppose)  you need to configure all the peers.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...