Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why data is not been routing to second group when we have issue with first group of indexers?

gandusarath538
New Member
‎03-14-2018 10:26 AM

Hello All, We need help on below issue?

while we are routing data 2 different indexer groups using _TCP_ROUTING in inputs.conf and when one group is down data didnot forwarded to second group of indexers? Is this expected?

Please provide your inputs if you have any similar issue or know how to handle this case.

Thanks

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-14-2018 11:54 AM

If you are using cloned groups.The default is to stop all forwarding as soon as one group is not accepting data.
Check for settings in outputs.conf like blockOnCloning
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

For syslog routing it's also stopping as soon at splunktcp or syslog are blocked.
For _TCP_ROUTING I am not sure of the behavior , it may be the same

0 Karma
Reply

pellegrini
Path Finder
‎05-03-2021 07:49 AM

Not true, according to the outputs.conf manual since version 7 at least. One cloned output group should be enough to keep the event flow running.

Whether or not the TcpOutputProcessor should wait until at least one
  of the cloned output groups receives events before attempting to send
  more events.
* If set to "true", the TcpOutputProcessor blocks until at least one of the
  cloned groups receives events.

The definition of a cloned group is according to the manual, when there are two ore more groups in the defaultGroup attribute. https://docs.splunk.com/Documentation/Forwarder/8.1.3/Forwarder/Configureforwardingwithoutputs.conf

This is so strange, since the real behavior is like Rich says. That's my experience as well. https://community.splunk.com/t5/Getting-Data-In/Any-data-forwarding-issue-using-data-cloning-and-dif...

If there is one or no groups in defaultGroup you might have some different behavior, since then you must use _TCP_ROUTING instead, and the event metadata is tagged with the route in that case, which is probably not the case if you use two groups in defaultGroup. 

Anyone with any practical experience, please share.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...