Getting Data In

set instance as a forwarder meanwhile an indexer

crazyeva
Contributor

4 high performance PC server, I want them all to be INDEXERs
Logs are uploaded to one of them, not by any FORWARDER

I want set 1 server as forwarder, to distribute Logs to the other 3, 1/4 of the logs each. meanwhile let itself keep 1/4 to eat. What should do with those .confs?

and I want to backup splunk-eaten-data, maybe 'splunk/var', through scripts, daily. what targets should I choose to backup? Since I will not assign dedicated MASTER-PEER to a 64GB memory instance.

thanks!

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You can certainly install a universal forwarder on the machine where the files get uploaded, as if the forwarder had been a separate machine. Then define the four indexers in your outputs.conf in the forwarder instance. Just make sure that only the forwarder monitors the files, not the indexer instance on the same host. I think that this is the easiest (perhaps only) way to ensure that the events are evenly distributed between the indexers.

Not too sure about what you mean with your backup question. But you can always read up on what you may want to back up in the docs;

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Backupconfigurations
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Backupindexeddata

/K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

You can certainly install a universal forwarder on the machine where the files get uploaded, as if the forwarder had been a separate machine. Then define the four indexers in your outputs.conf in the forwarder instance. Just make sure that only the forwarder monitors the files, not the indexer instance on the same host. I think that this is the easiest (perhaps only) way to ensure that the events are evenly distributed between the indexers.

Not too sure about what you mean with your backup question. But you can always read up on what you may want to back up in the docs;

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Backupconfigurations
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Backupindexeddata

/K

0 Karma

kristian_kolb
Ultra Champion

Routing and filtering (as described in http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad ) needs to be done on a Heavy Forwarder (or Indexer) - if you want to do anything but the most basic routing.

0 Karma

crazyeva
Contributor

Thank you
i have to let Splunk do some “route and filter” work, It seems universalforwarder is not able to do that.
i have to let indexer to do it?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...