Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to send same data to multiple separate splunk instances- UF

r999
Path Finder
‎08-13-2013 03:29 PM

I have a splunk UF on a Linux server. (4.3.6)

I want to send the local log files to 2 separate splunk instances, so both get a copy of the exact same data. (not autoLB across 2, not send different data to each one)

how can I do this from a UF?

Outputs.conf has two groups defined called Location1 and Location2

like this

1)specify multiple groups:

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1;Location2
index = test1
sourcetype = work

2) repeat same monitor stanza:

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1
index = test1
sourcetype = work

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location2
index = test1
sourcetype = work

3) I though of using indexAndForward but I don’t want any transforms/props to take place from say Location1 before it sends to Location2, and I don’t really want Location 1 to be a dependency for Location2.

Advice please

Reply

arunsunny
Path Finder
‎09-01-2017 07:39 AM

Use the below two .conf on the source where you are trying to send data !!!!

inputs.conf

[monitor:///app/logs/work/*]
sourcetype = work
index = test1

outputs.conf

[tcpout]
defaultGroup=indexerGroup1,indexerGroup2

[tcpout:indexerGroup1]
server=server1:9997

[tcpout:indexerGroup2]
server=server2:9997

At the receiver side have the below configuration.

inputs.conf

[splunktcp://9997]

[splunktcp://9997]
_TCP_ROUTING=indexerGroup1

[splunktcp://9997]
_TCP_ROUTING=indexerGroup2

Regards,
Arun

0 Karma
Reply

lukejadamec
Super Champion
‎08-13-2013 03:58 PM

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

The forwarder will send duplicate data streams to the servers specified in both the indexer1 and indexer2 target groups.

Reply

r999
Path Finder
‎08-14-2013 04:07 AM

How does it work if not the defaultGroup, and we are using _TCP_ROUTING as in my example?

i.e some data in default group is being sent instance A.

we use tcp routing to send data to other locations.

should this work?

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1;Location2
index = test1
sourcetype = work
0 Karma
Reply

wagnerbianchi
Splunk Employee
Splunk Employee
‎08-13-2013 03:45 PM

Perhaps are you talking about Data Cloning?

http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Configureforwarderswithoutputs.confd#Types_...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...