Getting Data In

Is it possible to have one Splunk Windows forwarder communicate with two separate Splunk environments?

ajdyer2000
Path Finder

Hi,

I was wondering if it is possible to have one Splunk Windows forwarder on a workstation communicate with 2 separate Splunk environments.

The MSI installer file is:

msiexec.exe /i "C:\temp\splunkforwarder-7.1.2-a0c72a66db66-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="SplunkServer-1:59443" SERVICESTARTTYPE=auto SET_ADMIN_USER=0 /l* C:\temp\splunkuflog.log /quiet

Would like to add SplunkServer-2

deploymentclient.conf

[target-broker:deploymentServer]
targetUri = SplunkServer-1:59443

0 Karma

DavidHourani
Super Champion

Hi there,

You can't connect one deployment client to two deployment servers simultaneously. Only one. For HA you will need to use DNS.

Also please be aware that using the following command writes deploymentclient.conf into splunkforwarder/etc/system/local, which means it will always be the one that is going to be used and will overwrite any configuration you try to send via DS:

msiexec.exe /i "C:\temp\splunkforwarder-7.1.2-a0c72a66db66-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="SplunkServer-1:59443" SERVICESTARTTYPE=auto SET_ADMIN_USER=0 /l* C:\temp\splunkuflog.log /quiet

For that reason please avoid using this option "DEPLOYMENT_SERVER="SplunkServer-1:59443" and simply create an application under splunkforwarder/etc/apps/ that contains the deploymentclient.conf file. That will allow you to modify this configuration for all your forwarders from the deployment server. If configuration remains in system/local you will not be able to modify that without manually logging into all your forwarders.

Cheers,
David

0 Karma

ajdyer2000
Path Finder

Hi David,

I probably was asking the question wrong.
I want to send event data to 2 separate Splunk deployments. 1 deployment server

Thanks
Alan

0 Karma

DavidHourani
Super Champion

Ah, that's simple ^^ have a look here :
https://answers.splunk.com/answers/98922/how-to-send-same-data-to-multiple-separate-splunk-instances...
You should have an output.conf like this :

[tcpout]
defaultGroup=indexerGroup1,indexerGroup2

[tcpout:indexerGroup1]
server=10.1.1.197:9997,10.1.1.198:9997

[tcpout:indexerGroup2]
server=10.1.1.200:9997,10.1.1.201:9997

That will duplicate data to both groups.
Cheers,
David

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

To clarify, do you want to use 2 deployment servers for your client? If so, the deployment servers must be kept exactly the same, in terms of apps and configuration. Then you would need to place these behind a CNAME or common DNS entry that resolves to both of your dpeloyment servers, and configure your client to communicate with this. In addition, you will need to set crossServerChecksum = true in both serverclass.conf

What is your use-case for needing this?

Or are you looking to send event data to 2 separate Splunk deployments? That is a different questions all together

0 Karma

ajdyer2000
Path Finder

Thanks sduff,

I want to send event data to 2 separate Splunk deployments.

Thanks
Alan

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...