Getting Data In

How do I set up indexing across 2 servers

New Member

New to splunk.....I have two servers in a distributed deployment. S1 has Indexer, License Master, and Search Head roles. S2 is just an indexer. Can I have a splunk server (S1) index and forward data? When I attempt to set up forwarding to both servers, using Splunk load balancing, I receive errors:

0800 ERROR TcpOutputFd - Connection to host=xxx.xx.xx.xx:xxxx failed

As soon as I remove S1 from splunk lb (forwarding), S2 does all of the indexing. I'd like to have S1 index data as well. Is this possible and how can this be accomplished?

0 Karma

Communicator

In Forwarder, in outputs.conf file

forward data to all your peers. mention IP's of all peers.
autoLBFrequency=40
server = Peer1:9997, peer2:9997
useACK = true

0 Karma

New Member

Thanks! Attempted this change and now i receive this error message:
Forwarding to indexer group default-autolb-group blocked for 5000 seconds.

0 Karma

Communicator

On the indexer(s), you must configure a receiving port in inputs.conf.

Or from GUI, go to settings> Forward and receive > in receive add port 9997 at each indexer.

0 Karma

SplunkTrust
SplunkTrust

Make sure your forwarders know both indexers, in their outputs.conf there should be a line like this:

[tcpout...]
server = S1:9997, S2:9997

Without setting anything else that'll default to load balancing between the two indexers.

Data generated on S1 will be indexed by S1 locally, there is no partial forwarding to the other indexer. If you have significant data being generated on S1 (DB Connect, network inputs, etc.) consider moving them to a heavy forwarder (DB Connect) or other dedicated system that then gets a universal forwarder (network inputs sending to syslog-ng, http://www.georgestarcher.com/splunk-success-with-syslog/)

0 Karma

Path Finder

Check if S1 has port 9997 (default) enabled:
go to settings/data/forwarding and receiving/ configure receiving

you don't need to forward data from S1 to S2 because you will end up with duplicated data(considering you are not setting up a cluster)

0 Karma

New Member

Thanks for your reply! Port 9997 is enabled on both S1 and S2. If I don't need to forward data on S1, how does splunk know how to forward data to itself since S1 is also a forwarder? The only way I could get indexing to work properly was to remove S1 from Forwarding, but S1 is not indexing data.

0 Karma

SplunkTrust
SplunkTrust

Are you trying to accomplish load balancing between the two indexers or HA/failover with duplicated data on both?

0 Karma

New Member

load balancing between the two indexers

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!