Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TCP ROUTING and Indexer Discovery- How to configure?

lrodriguez
Engager
‎03-28-2023 11:52 AM

Hello everyone! 

In this scenario i have one Heavy forwarder and one indexer cluster (of course the is a Cluster Manager over there). 

The HF have some inputs configured in this way (inputs.conf): 

[mi_input://List_Deployment_State]

index = endpoint
sourcetype = endpoint
_TCP_ROUTING = ixChabelaGroup

And the outputs were configured in this way (outputs.conf): 

[tcpout]
defaultGroup = ixChabelaGroup
defaultGroup = default-autolb-group

[tcpout:ixChabelaGroup]
server = 192.189.2.25:9997

As you can see the TCP_ROUTING is only sending data to one Indexer and we want to balance the data forwarding to the entire cluster. 

My question is: what would it happen if i enable the indexer discovery in the Heavy Forwarder?  as follows: 

[tcpout:idxc-forwarders]

indexerDiscovery = cluster1

useACK=true

[indexer_discovery:cluster1]

master_uri = https://192.189.2.26:8089

pass4SymmKey = MyUnhashedPasswd

There will be a conflict between the indexer discovery and the _tcp_routing declared? 

Or what is the proper way to configure the indexer discovery in my HF?

Thanks in advance for your support. 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 12:37 PM

It's not clear what will happen if _TCP_ROUTING references a name not in outputs.conf, but probably won't be what you want.  I suggest removing _TCP_ROUTING settings from all inputs.conf files unless there is a need for input-specific routing.  Then the settings in outputs.conf will control how data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 12:37 PM

It's not clear what will happen if _TCP_ROUTING references a name not in outputs.conf, but probably won't be what you want.  I suggest removing _TCP_ROUTING settings from all inputs.conf files unless there is a need for input-specific routing.  Then the settings in outputs.conf will control how data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

lrodriguez
Engager
‎03-28-2023 02:25 PM

What do you think if i keep the two configurations in the same stanza (indexer discovery and _tcp_routing) ?
It will cause any kind of conflict?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 05:04 PM

Indexer discovery and _TCP_ROUTING are not in the same stanza - they're not even in the same files.  Get rid of _TCP_ROUTING.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...