Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder migration

mehmettecer
Explorer
‎10-04-2011 01:01 PM

Hi guys,

Here is my issue:
I have 2 rsyslog servers that are in production in redundant setup. Other servers forward same logs to these servers at the same time. Due to UDP drops, log files are slightly different on both servers.

I have Forwarder setup on only one of them, lets call it Server A, now I need to retire Server A and replace it with Server B.

My question here is, when Server B comes up, will Splunk start indexing all the log files as if it was a new server ? If yes, how can I avoid duplicate indexed data in ? Is there are Splunk best practice for such situation ? I know splunk forwarder remembers where it is was left while monitoring files, is there a way to transfer that monitoring offset data to the new server so once Server B comes up it starts monitoring from where it left off ?

Thanks

Tags (1)
0 Karma
Reply

jasonnadeau
Explorer
‎10-04-2011 01:11 PM

Can you expand on your rsyslog configuration a little bit? My rsyslog creates a directory hierarchy based upon the source IP address for the log message, then creates a new log file per day for each unique IP address.

+/syslog
+-/192.168.1.1
---/2011-10-04.log
+-/192.168.1.10
---/2011-10-04.log
---/2011-10-03.log

If you need to replace Server A with Server B on a scheduled date and time you may want to move the older data out of "view" of splunk monitored directories just before you fire up Splunk on Server B, then you can shutdown Splunk on Server A. At that point the log data will be ingested via Server B, and once you are satisfied you are getting all the required logs you can decommission Server A. If things appear to be going left you can always turn Splunk back on server A and it will pickup logs from where it left off.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...