We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.
The 4th app has a different indexer IP.
All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.
If I delete all 3 apps and keep only 4th one, it works.
Need your expert suggestion.
I am thinking one more way :
all 4 apps data to >> Heavy forwarder
From Heavy forwarder send 3 APPS index to Indexer 1
From heavy forwarder send 4th APPS index to indexer 2
Can any one help with Heavy forwarder configuration for this.
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf
Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?
output.conf is same for all APPS, only group and indexer name is different
for 3 apps
groupname is : defaultgroup
for 4th apps
groupname is : group4
indexer : group4.com:9997
You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs
see: Route inputs to specific indexers based on the data's input
you can create a single outputs.conf with all target indexers defined
Then in inputs you can use TCP_ROUTING to point the inputs accordingly.
TCPROUTING = systemGroup
TCPROUTING = applicationGroup