Getting Data In

can I configure universal forwarders to forward to multiple splunk indexers?

csclement
Engager

I tried to add more than one forward server to an universal forwarder. But it seems that only one can stay active.

root@splunk01:# /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
a.b.c.d:9997
Configured but inactive forwards:
192.168.100.100:8384
forwarder.splunkstorm.com:9997

Is it possible to let the universal forwarder forward logs to more than one indexer?

furthermore, can I configure universal forwarder to forward some logs to one forward server, and other logs to another forward server?

Tags (1)
0 Karma
1 Solution

asimagu
Builder

try this in outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
autoLB = true
autoLBFrequency = 31
server = ip_server1:9997,ip_server2:9997
useACK=true

View solution in original post

asimagu
Builder

try this in outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
autoLB = true
autoLBFrequency = 31
server = ip_server1:9997,ip_server2:9997
useACK=true

dwaddle
SplunkTrust
SplunkTrust

Since it worked, can you please accept the answer as correct by clicking the checkbox to the left? Thanks!

jonthanze
Explorer

It worked !

it just needed a moment to have the changes occurs.

Thanks guys !

0 Karma

linu1988
Champion

did you check for all the other factor between the forwarder and second ip_server2?

telnet from the forwarder if they are able to connect. And if you want all events present in both the server remove the autoLB=true option.

0 Karma

jonthanze
Explorer

Hi

I tried this, but it still doesn't change the fact that my second indexer appears as inactive forwards.
Can you please help ?

0 Karma