I created a new splunk enterprise instance in which I want to connect to my already pre-existing main enterprise instance with the bulk of our data. The intention of having 2 is so I can track the heartbeat messages between each server to one another to alert when one or the other goes down. I already have the new instance connected to the old one through outputs.conf - and this gives me the ability to search for its heartbeat logs in index=_internal. However, connecting the main original instance to the new one is a different story. I have it forwarding to the new instance the same way, using outputs.conf. However, I believe that this is too much for the new instance to handle as it is a ton of data (which i don't even want to go there). Is there a way that I can have it establish the connection so I can monitor for heartbeats, but not send any data? Perhaps what settings can I tweak that disable the sending of anything but keep that connection between the two - without turning off indexing on the new instance so I am able to monitor and alert when the old instance stops sending heartbeats when it goes offline.
Don't have the two systems forward to each other - it won't work.
I haven't tried it myself, but you may have luck setting up each system as a search peer to the other. Go to Settings->Distributed Search and click "Add new". This allows each system to search what is stored on the other without having to send the raw data between them.
Don't have the two systems forward to each other - it won't work.
I haven't tried it myself, but you may have luck setting up each system as a search peer to the other. Go to Settings->Distributed Search and click "Add new". This allows each system to search what is stored on the other without having to send the raw data between them.