How do I copy forwarder inputs from one indexer to...

ntripp_element · ‎12-17-2019

I'm working on load balancing the universal forwarder and want to make sure the additional indexer that will now receive inputs from forwarders is configured to accept.

ntripp_element · ‎12-17-2019

yes, I saw that. That's what I'm doing. The list of Forwarded data on the indexers is different. Don't see any mention of dealing with that anywhere so maybe it doesn't matter.

gcusello · ‎12-17-2019

Hi @ntripp_element,
auto-load-balancing is configured at Universal Forwarder Level: Indexers must only be configured to receive logs (enable receiving on 9997 port).

Follow instructions at https://docs.splunk.com/Documentation/Forwarder/8.0.1/Forwarder/Configureloadbalancing :
In outputs.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=false

If you want, you can also configure autoLBFrequency and other parameters (see https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Outputsconf ).

Ciao.
Giuseppe

gcusello · ‎12-17-2019

Hi @ntripp_element,
in auto load balancing, half of data are in each Indexer, when you run a search on a Search Head conected with both the Indexers, you see all the data.
To have te same data on both the Indexers (HA), you have to configure an Indexer Cluster ( https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Clusterdeploymentoverview ).

Ciao.
Giuseppe

How do I copy forwarder inputs from one indexer to another indexer?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...