Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to index data which is forwarded to DNS?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to index data which is forwarded to DNS?
Hello
I am using DNS lists for load balancing. I am pointing my forwarders to send data to my DNS, but I was wondering how can an indexer listen for data which is being forwarded to DNS?
I searched for document, but I could not find it, so can anyone please let me know how I can solve it?
Is it simply by enabling the listening port on my indexers?
or do I need any connection between my DNS and indexers?
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may be possible that what you are looking for is the Splunk App for Stream. Stream uses the underlying packet capturing mechanisms on the various platforms to capture data off the wire and send it in via the Forwarder.
The topic is a bit lengthy to get into the solution here, I'd recommend reading and following the extensive documentation in the app and its areas themselves.
The Splunk App for Stream.
How to Install the Splunk App for Stream.
One of the many pages on how to Easily Set Up the Splunk App for Stream. "Easily" being relative, you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please also keep in mind that Splunk app for Stream is a Splunk-supported free app - supported and free!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Huh. Somehow I didn't see any of the other comments against the original question. This may not be your solution. I'll leave it for now just in case, but no worries if it isn't.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to setup Indexer to receive data onto a port (e.g. 9997). Then you need to configure your DNS LB to forward oncoming traffic to that port (9997) on the Indexers, So here is how it'll look like
To DNS LB Forward to
Forwarders------------------> DNS LB --------------------> Indexers (receiving on 9997)
on some port Indexers on
say 9997 port 9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
i have followed the way u specified but i could not see any events in indexer.
on my forwarder i am getting a message as Forwarding to indexer group default-autolb-group blocked for 100 seconds.
here is my outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk-dns-test.XXXX:9997
[tcpout-server://splunk-dns-test.test-XXXX:9997]
and on my indexer i enabled listening
can you please help me
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm with tcpdump (or wireshark depending on your OS) that the packets are being seen on your interface on the Splunk server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not recommended. This was being done at a previous company I consulted for and resulted in terrible performance, upon talking to a few at Splunk we discovered that the load balancers were breaking up the stream from the UF. It is much better to allow the SUFs to load balance for you - as they were designed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SUFs do you mean static list load balancing??
can you please provide me some clear point what your are talking about LBS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the static list found in the outputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok thanks for clarification !!!
working on both as a part of testing
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
