Getting Data In

Splunk Universal Forwarder and Two Destinations

Path Finder

Hi,

I have a Splunk forwarder sending data to my prod box and i see a need to build a new dev server for testing/researching, i have a quick question,

My output.conf on Universal Forwarder looks like:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 198.11.16.1:9997

[tcpout-server://198.11.16.1:9997]

Which has Ip of my first Splunk Server, can i add another Server here and if yes how will it look ?

Is this the only file i need to edit and restart splunk forwarder to be done?

Tags (1)
0 Karma

Nikhil,

What you are attempting to do is called "Data Cloning". For this type of situation you will need 2 target groups, and then specify each indexer in that target group. Look at Data Cloning in the Documentation here.

Also, while nice I would actually rename the target groups to your liking. Such as,

[tcpout]
defaultGroup = productionSplunk, developmentSplunk

[tcpout:productionSplunk]
server = 198.11.16.1:9997

[tcpout:developmentSplunk]
server = 198.11.16.X:9997

As always, tcpout-server is optional. Read the documentation link for more information.

Path Finder

I tried this but it stopped prod stream too...
any error you see or do i need to do anything on indexer too...?

[tcpout]
defaultGroup = productionSplunk, developmentSplunk

[tcpout:productionSplunk]
server = 198.11.16.1:9997

[tcpout:developmentSplunk]
server = 198.11.16.2:9997

0 Karma

Path Finder

another quickie....[tcpout] is the [] refers to comment...

0 Karma

Because the name is arbitrary to begin with it should be trivial to make the change.

As far as licensing is concerned data cloning is usually covered under an HA license. I have asked a few Splunkers about dev/test and don't have an answer for you. Probably best to contact your Sales rep or Splunk Certified Partner to shore that up.

0 Karma

Path Finder

Thanks make sense, if i rename defaultGroup = productionSplunk, to defaultGroup = productionSplunk. it should no have any effect on already live production instance right? and also do we use two time the licenses if we use data cloning (as these are sepearet instances) and i dont want a dev server to be part of production cluster.

0 Karma