how to forward same data to two different indexers...

pranil · ‎03-26-2018

before my question i want you to show my data-flow. the data-flow is like universal forwarder to heavy-forwarder and later to indexers. so, my question is, i am here trying to send same data to two different indexers using UFs through heavy forwarder to indexers. so is there any possible solution for this. i know we can send data or logs directly to indexers using UF but in my case i was only looking to forward data with heavy-forwarder ?
UF---> HF---> (indexerA, indexerB)

FrankVl · ‎03-27-2018

On your HFs: define multiple target groups in outputs.conf, one for each (set of) indexer(s), and then assign both target groups to the defaultGroup. The HF will then clone the data to both destinations.

Example here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf#...

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

Even though that mentions Universal Forwarder, it would look the same on a HF and since in your case it is the HFs connecting to the indexers, that is where you need to put the cloning config.

how to forward same data to two different indexers, with the following data flow, universal forwarder to heavyforwarder to indexers

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability