Getting Data In

can I configure universal forwarders to forward to multiple splunk indexers?

csclement
Engager

I tried to add more than one forward server to an universal forwarder. But it seems that only one can stay active.

root@splunk01:# /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
a.b.c.d:9997
Configured but inactive forwards:
192.168.100.100:8384
forwarder.splunkstorm.com:9997

Is it possible to let the universal forwarder forward logs to more than one indexer?

furthermore, can I configure universal forwarder to forward some logs to one forward server, and other logs to another forward server?

Tags (1)
0 Karma
1 Solution

asimagu
Builder

try this in outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
autoLB = true
autoLBFrequency = 31
server = ip_server1:9997,ip_server2:9997
useACK=true

View solution in original post

asimagu
Builder

try this in outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
autoLB = true
autoLBFrequency = 31
server = ip_server1:9997,ip_server2:9997
useACK=true

dwaddle
SplunkTrust
SplunkTrust

Since it worked, can you please accept the answer as correct by clicking the checkbox to the left? Thanks!

jonthanze
Explorer

It worked !

it just needed a moment to have the changes occurs.

Thanks guys !

0 Karma

linu1988
Champion

did you check for all the other factor between the forwarder and second ip_server2?

telnet from the forwarder if they are able to connect. And if you want all events present in both the server remove the autoLB=true option.

0 Karma

jonthanze
Explorer

Hi

I tried this, but it still doesn't change the fact that my second indexer appears as inactive forwards.
Can you please help ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...