Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to forward data collected using scripted inputs to multiple indexers using Splunk's load balancing feature?

sakti
Engager
‎11-16-2016 11:54 AM

Is there a way to forward data collected using [script] to multiple indexers using Splunk's load balancing feature? This is a TCP stream and am trying to implement this by using universal forwarder, and according to the documentation, it says:

Universal forwarders have a slight
disadvantage in that they can't switch
indexers when monitoring TCP network
streams of data unless they encounter
an End of File (EOF) marker in the
stream or an indexer goes down.

How and when could I introduce an EOF marker? Is there a setting in outputs.conf to do that or should my script handle this?

0 Karma
Reply

bernardoortega
Path Finder
‎02-15-2017 01:09 AM

Hello

You should use in outputs.,conf the following parameter:

forceTimebasedAutoLB=true

With this, it will load balance between indexers

regards

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-16-2016 02:41 PM

I'm wondering if event breaker enable will help here https://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/Configureloadbalancing from the documentation I'm not clear if it will help here...

If not, you might want to consider a syslogNG instance or similar to receive the TCP logs and then read the files through the universal forwarder, I have a post on that here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

sakti
Engager
‎11-16-2016 01:59 PM

Adding to the question, if I report the data every n seconds does that get counted as marking the data stream with EOF for every n seconds?

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...