Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why are we unable to send collection logs on U...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
we have a client who wants to migrate sending network devices logs from his universal forwarder server from his POC (search head + indexer) servers to our prod indexers.
But when I point the name of the prod indexers on outputs.conf file under /opt/splunkforwarder/etc/system/local/outputs.conf:
outputs.conf:
[tcpout:indexers]
server=193.91.168.181:9997,205.145.98.20:9997
[tcpout]
defaultGroup=s05
[tcpout:S05]
server=LOUWEBWPL20S02:9997,LOUWEBWPL20S03:9997
autoLB = true
autoLBFrequency = 31
forceTimebasedAutoLB = true
useACK = true
The log collection stops on the orginal POC servers as well as on new indexers there is no data coming.
What am I missing here?
My prod indexer servers are :
LOUXXXWPLXXS02:9997
LOUXXXWPLXXS03:9997
and their POC indexer servers are :
190.XX.XXX.XXX:9997,202.XXX.XXX.XX:9997
Why am I unable to do load balancing?
Thanks,
Mohammed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
The below change should work for you. I have made 2 corrections.
1. S05 ==> s05 (Upper case 'S' to lower case 'S')
2. defaultGroup=s05 ==> defaultGroup=s05, indexers (This is required to send the same data to both set of indexers)
check and let me know.
outputs.conf:
[tcpout]
defaultGroup=s05, indexers
[tcpout:indexers]
server=193.91.168.181:9997,205.145.98.20:9997
[tcpout:s05]
server=LOUWEBWPL20S02:9997,LOUWEBWPL20S03:9997
autoLB = true
autoLBFrequency = 31
forceTimebasedAutoLB = true
useACK = true
=====
Above configuration will work, Incase if the above configuration doesn't work, the check the following
1. User IP address for servers incase if DNS resolution creates problem due to firewall
2. Ensure there are no firewall restrictions
3. Ensure port 9997 opens on indexed (receiver side)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
The below change should work for you. I have made 2 corrections.
1. S05 ==> s05 (Upper case 'S' to lower case 'S')
2. defaultGroup=s05 ==> defaultGroup=s05, indexers (This is required to send the same data to both set of indexers)
check and let me know.
outputs.conf:
[tcpout]
defaultGroup=s05, indexers
[tcpout:indexers]
server=193.91.168.181:9997,205.145.98.20:9997
[tcpout:s05]
server=LOUWEBWPL20S02:9997,LOUWEBWPL20S03:9997
autoLB = true
autoLBFrequency = 31
forceTimebasedAutoLB = true
useACK = true
=====
Above configuration will work, Incase if the above configuration doesn't work, the check the following
1. User IP address for servers incase if DNS resolution creates problem due to firewall
2. Ensure there are no firewall restrictions
3. Ensure port 9997 opens on indexed (receiver side)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your time on investigating this issue. You were right on. I forgot to mention two target group as my default group. Also there was a typo in one of the default group S for s.
This assisted me in troubleshooting the matter.
Thanks Again !!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
