Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I forward the same data to two differen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're prepping for a migration, so what I want is the exact same data going to OldServer and NewServer
Here's what I have so far:
Outputs.conf:
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
[tcpout:SplunkGroup]
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
inputs.conf:
[monitor:///var/log/mylog.log]
index = myindex
sourcetype = mysourcetype
_TCP_ROUTING = SplunkGroup
When I set it up like this, I get no data, so obviously something is wrong. Splunkd.log isn't showing anything outside the norm
Anyone have ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this for your outputs.conf
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
See here for more information http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Configureforwarderswithoutputs.confd#Da...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this for your outputs.conf
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
See here for more information http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Configureforwarderswithoutputs.confd#Da...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I need to refer to them at all in inputs.conf, or just leave that totally off?
The way that you have it laid out it looks like it's just going to default to the cloning, so I should just be able to declare each monitored log as such:
[monitor:///var/log/mylog.log]
index = myindex
sourcetype = mysourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is correct. You don't need anything in inputs.conf if all the data is supposed to go to the defaultGroup.
The input.conf entry is required for selective routing (not relevant here but just want to bring it up).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting
Your declaration format works just fine, however, if I don't have my NewServer reachable, OldServer won't work either
Odd. But, I figure once I work the ACLs out, everything should work as necessary.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
