Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a way to forward data collected using scripted inputs to multiple indexers using Splunk's load balancing feature?

sakti
Engager
‎11-16-2016 11:54 AM

Is there a way to forward data collected using [script] to multiple indexers using Splunk's load balancing feature? This is a TCP stream and am trying to implement this by using universal forwarder, and according to the documentation, it says:

Universal forwarders have a slight
disadvantage in that they can't switch
indexers when monitoring TCP network
streams of data unless they encounter
an End of File (EOF) marker in the
stream or an indexer goes down.

How and when could I introduce an EOF marker? Is there a setting in outputs.conf to do that or should my script handle this?

0 Karma
Reply

bernardoortega
Path Finder
‎02-15-2017 01:09 AM

Hello

You should use in outputs.,conf the following parameter:

forceTimebasedAutoLB=true

With this, it will load balance between indexers

regards

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-16-2016 02:41 PM

I'm wondering if event breaker enable will help here https://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/Configureloadbalancing from the documentation I'm not clear if it will help here...

If not, you might want to consider a syslogNG instance or similar to receive the TCP logs and then read the files through the universal forwarder, I have a post on that here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

sakti
Engager
‎11-16-2016 01:59 PM

Adding to the question, if I report the data every n seconds does that get counted as marking the data stream with EOF for every n seconds?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...