Getting Data In

Index data and then forward to another indexer

danielez68
Explorer

Hi, we have and indexer that receive data from some Univ. Forwarder. Data are stored on different index (IndexA, IndexB, ..) based on Forwarder's index input configuration.
Now we need to to add a new index (that receive data from a new group of Forwarder) and then forward from the indexer the same indexed data to another indexer (for another group of people).

What's the best way to configure it (store and forward)?

Thanks!

Tags (2)

abhijitmishra87
Explorer

It is because the "forwarded index" attributes are only applicable under the global [tcpout] stanza. This filter does not work if it is created any where else

Your configs should be

[tcpout]
indexAndForward = true
forwardedindex.filter.disable = false
forwardedindex.0.blacklist = index_1
forwardedindex.1.blacklist = index_3
forwardedindex.2.whitelist = index_2

[tcpout:indexerB_9997]
disabled = false
server = indexerB:9997

rsankar
New Member

Hi Drainy

Per your first comment inthis post, can you elaborate on how we can do more granular forwarding.

We have a requirement where we want to forward to another groups indexer some selective indexed data from my groups indexer.

Thanks
Ramesh S
Echostar, Denver

0 Karma

rturk
Builder

Hi Daniel,

Did you want to store & forward ALL data received by Indexer-A to the new indexer (Indexer-B), or just data destined for the new Index (IndexC). There is the indexAndForward option in outputs.conf which will do the first option, but you're going to need to play with data routing;

http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad

if you want more granular forwarding (the second option).

Instead of indexing data twice, is putting in a standalone search-head an option for your new users? This would allow you to simplify your design by:

  • Storing your data in one location (Indexer A)
  • Apply role based access
  • Save license quota usage by only indexing data once

Happy to discuss further 🙂

0 Karma

danielez68
Explorer

These indexes are in the blacklist:

[tcpout]
indexAndForward = true

[tcpout:indexerB_9997]
disabled = false
server = indexerB:9997
forwardedindex.filter.disable = false
forwardedindex.0.blacklist = index_1
forwardedindex.1.blacklist = index_3
forwardedindex.2.whitelist = index_2

Probably something missing or misconfigured? Thanks.

0 Karma

danielez68
Explorer

We still receiving wrong events on destination indexer when the indexer/fwd start like the following:

received event for unconfigured/disabled index='index_1' with source='source::/logs/aaa_.log' host='host::aaa0000' sourcetype='sourcetype::aaa_sourcetype' (2 missing total)
received event for unconfigured/disabled index='index_3' with source='source::/logs/bbb.log' host='host::bbb0000' sourcetype='sourcetype::bbb_sourcetype' (4 missing total)

0 Karma

danielez68
Explorer

Configuration with forwardedindex seems working, the only issue is that at indexer startup some events from blacklisted index still remain forwarded, probably because the filters configuration are not fully loaded ?

Is there a way to prevent this?

I need also to override (at indexer level) index declared by the Univ. forwarder. I have tried to put index=xxxx in the inputs.conf stanza but without results. Or at least reconfigure the index tag in the re-forwarded events.
Any suggestion is appeciated. thanks.

0 Karma

Drainy
Champion

Yup, have a look at Index Filtering in the outputs.conf spec; http://docs.splunk.com/Documentation/Splunk/latest/admin/outputsconf

danielez68
Explorer

Hi R. Turk,

thanks for response. Our scenario (we are an IT Outsourcer) is to collect data (and store/retain on our indexer for IT/Security Analisys/Compliance) for our customers and than send the same "raw" copy to their indexer (with independent License) managed by them.
Our indexer should act as data collector and aggregator (we can't send directly to them with forwarders) and for some customers (not all..) forward/route also the data.

We can summarize in this way:

FWD(1,2,..n) -> IndexerA (Our indexer)

                            (Index1) Local   
                            (Index2) Local + Forward -> IndexerB (Customer1 Indexer)
                            (IndexN) Local

I have tried indexAndForward=true but this forward all indexes data.

I have tried (as explained in the Manuals)
selectiveIndexing=true
and
_INDEX_AND_FORWARD_ROUTING=local
_TCP_ROUTING=indexerB
on the dedicated tcp port on our indexer but we got config error on indexer startup.

We don't need to filter or make selective routing at this stage, we "simply" need to forward any indexed data to the destination indexer. Looking around I have not found some sample configuration, so the question here is to understand if the indexer is able to store data in a local index and then forward (or routing) the same data to another indexer.

Thanks for help and suggestion.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...