Splunk Enterprise

Forwarding Event Logs from Search Head to Indexer

ddelaneymdw
New Member

How do I leverage Splunk_TA_Windows on a search head (distributed search w/ 2 indexing peers) to send the event logs to an index on the indexers? I see some traffic on SplunkBase that people figured it out but did not post the "how".

Please help,

0 Karma

LiquidTension
Path Finder

Though my environment is unix, this should help point you in the right direction.

note: I forward all data from my search heads to my indexers - Nothing is indexed on any of my search heads.

You would need an outputs app pointing your search head to your indexers.

[tcpout:prod_splunk_indexers]
server=x:portx,y:portx,z:portx
useACK=true

You would also need an indexes app telling your search head where to store the index data

[main]
homePath = volume:hot/defaultdb/db
coldPath = volume:cold/defaultdb/colddb
repFactor = auto

Then you want another app identifiying that

  • This simple config gives a path for "volume:hot" and "volume:cold" so that non-indexers
  • (Search heads, cluster masters, etc) can have the same indexes config, but not complain
  • about a missing volume spec at startup. [volume:hot] path = X

[volume:cold]
path = Y
- This is also copied from the cluster master's settings.
maxVolumeDataSizeMB = 3000000

Then ship the Splunk_TA_Windows app just like you would for any other windows host.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!