Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TCP ROUTING and Indexer Discovery- How to configure?

lrodriguez
Engager
‎03-28-2023 11:52 AM

Hello everyone! 

In this scenario i have one Heavy forwarder and one indexer cluster (of course the is a Cluster Manager over there). 

The HF have some inputs configured in this way (inputs.conf): 

[mi_input://List_Deployment_State]

index = endpoint
sourcetype = endpoint
_TCP_ROUTING = ixChabelaGroup

And the outputs were configured in this way (outputs.conf): 

[tcpout]
defaultGroup = ixChabelaGroup
defaultGroup = default-autolb-group

[tcpout:ixChabelaGroup]
server = 192.189.2.25:9997

As you can see the TCP_ROUTING is only sending data to one Indexer and we want to balance the data forwarding to the entire cluster. 

My question is: what would it happen if i enable the indexer discovery in the Heavy Forwarder?  as follows: 

[tcpout:idxc-forwarders]

indexerDiscovery = cluster1

useACK=true

[indexer_discovery:cluster1]

master_uri = https://192.189.2.26:8089

pass4SymmKey = MyUnhashedPasswd

There will be a conflict between the indexer discovery and the _tcp_routing declared? 

Or what is the proper way to configure the indexer discovery in my HF?

Thanks in advance for your support. 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 12:37 PM

It's not clear what will happen if _TCP_ROUTING references a name not in outputs.conf, but probably won't be what you want.  I suggest removing _TCP_ROUTING settings from all inputs.conf files unless there is a need for input-specific routing.  Then the settings in outputs.conf will control how data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 12:37 PM

It's not clear what will happen if _TCP_ROUTING references a name not in outputs.conf, but probably won't be what you want.  I suggest removing _TCP_ROUTING settings from all inputs.conf files unless there is a need for input-specific routing.  Then the settings in outputs.conf will control how data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

lrodriguez
Engager
‎03-28-2023 02:25 PM

What do you think if i keep the two configurations in the same stanza (indexer discovery and _tcp_routing) ?
It will cause any kind of conflict?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 05:04 PM

Indexer discovery and _TCP_ROUTING are not in the same stanza - they're not even in the same files.  Get rid of _TCP_ROUTING.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...