Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update indexes.conf files on unclustered production indexers?

packet_hunter
Contributor
‎10-24-2017 07:28 AM

I have to define some new indexes on production indexers (in the indexes.conf).
I have 4 indexers running.
Someone else setup an app to send_data_to_indexers (a basic outputs.conf) as follows

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]

 server = splunkindexer1.mycorp.com:9997, splunkindexer2.mycorp.com:9997, splunkindexer3.mycorp.com:9997, splunkindexer4.mycorp.com:9997


 [tcpout-server://splunkindexer1.mycorp.com:9997]

My question is: If this outputs.conf is being used for all data being sent to the indexers, then can I edit the indexes.conf on each indexer and then restart one at a time?

Or is there a better way to do this?

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 07:50 AM

Hi packet_hunter,

in your outputs.conf you should have four lines as the last one

[tcpout-server://splunkindexer1.mycorp.com:9997]
[tcpout-server://splunkindexer2.mycorp.com:9997]
[tcpout-server://splunkindexer3.mycorp.com:9997]
[tcpout-server://splunkindexer4.mycorp.com:9997]

Anyway, I see that you configured your indexers in auto load balancing so, if one of them is down for update, the others continue to receive logs from Universal Forwarders.
The only problem is that, during downtime, data on this indexers aren't searchable.

What's your requirement: don't lose any log or have always logs searchable?

If your requirement is don't lose any log, you haven't problems; in addition remember that receiving logs only from Universal Forwarder you can also stop all the indexers at the same time, because UFs cache logs when Indexers aren't available.

If instead your requirement is to always have logs searchable, you must use an Indexer Cluster.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 07:50 AM

Hi packet_hunter,

in your outputs.conf you should have four lines as the last one

[tcpout-server://splunkindexer1.mycorp.com:9997]
[tcpout-server://splunkindexer2.mycorp.com:9997]
[tcpout-server://splunkindexer3.mycorp.com:9997]
[tcpout-server://splunkindexer4.mycorp.com:9997]

Anyway, I see that you configured your indexers in auto load balancing so, if one of them is down for update, the others continue to receive logs from Universal Forwarders.
The only problem is that, during downtime, data on this indexers aren't searchable.

What's your requirement: don't lose any log or have always logs searchable?

If your requirement is don't lose any log, you haven't problems; in addition remember that receiving logs only from Universal Forwarder you can also stop all the indexers at the same time, because UFs cache logs when Indexers aren't available.

If instead your requirement is to always have logs searchable, you must use an Indexer Cluster.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-24-2017 07:59 AM

Thank you Cusello.

I plan to update after hours, search-ability should not be a big concern. Primary concern is to not lose data.
I really appreciate your insight.

Regarding your code that you provided above, do I need to rewrite the code that I am using for autoLB?
If I am understanding correctly, is this what you mean?

[tcpout]
 defaultGroup = default-autolb-group

 [tcpout:default-autolb-group]

 server = splunkindexer1.mycorp.com:9997, splunkindexer2.mycorp.com:9997, splunkindexer3.mycorp.com:9997, splunkindexer4.mycorp.com:9997



 [tcpout-server://splunkindexer1.mycorp.com:9997]
 [tcpout-server://splunkindexer2.mycorp.com:9997]
 [tcpout-server://splunkindexer3.mycorp.com:9997]
 [tcpout-server://splunkindexer4.mycorp.com:9997]
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 08:12 AM

Hi packet_hunter,
Yes correct!

how do you deploy outputs.conf?
I suggest to insert it in a dedicated TA to deploy using Deployment Server.
In this way you have a more feasible solution: you can modify outputs.conf of all UFs in one shot.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-24-2017 09:26 AM

Thank you for confirming.
Yes we use the deployment server to push out the output.conf as an app to the UFs.

For example we create an app called OutputsToIndexers

and within this app is the code I provided above.

Is this scenario what you are recommending?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 12:32 AM

Yes.
Thank You.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...