Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send same data to multiple separate splunk instances- UF

r999
Path Finder
‎08-13-2013 03:29 PM

I have a splunk UF on a Linux server. (4.3.6)

I want to send the local log files to 2 separate splunk instances, so both get a copy of the exact same data. (not autoLB across 2, not send different data to each one)

how can I do this from a UF?

Outputs.conf has two groups defined called Location1 and Location2

like this

1)specify multiple groups:

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1;Location2
index = test1
sourcetype = work

2) repeat same monitor stanza:

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1
index = test1
sourcetype = work

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location2
index = test1
sourcetype = work

3) I though of using indexAndForward but I don’t want any transforms/props to take place from say Location1 before it sends to Location2, and I don’t really want Location 1 to be a dependency for Location2.

Advice please

Reply

arunsunny
Path Finder
‎09-01-2017 07:39 AM

Use the below two .conf on the source where you are trying to send data !!!!

inputs.conf

[monitor:///app/logs/work/*]
sourcetype = work
index = test1

outputs.conf

[tcpout]
defaultGroup=indexerGroup1,indexerGroup2

[tcpout:indexerGroup1]
server=server1:9997

[tcpout:indexerGroup2]
server=server2:9997

At the receiver side have the below configuration.

inputs.conf

[splunktcp://9997]

[splunktcp://9997]
_TCP_ROUTING=indexerGroup1

[splunktcp://9997]
_TCP_ROUTING=indexerGroup2

Regards,
Arun

0 Karma
Reply

lukejadamec
Super Champion
‎08-13-2013 03:58 PM

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

The forwarder will send duplicate data streams to the servers specified in both the indexer1 and indexer2 target groups.

Reply

r999
Path Finder
‎08-14-2013 04:07 AM

How does it work if not the defaultGroup, and we are using _TCP_ROUTING as in my example?

i.e some data in default group is being sent instance A.

we use tcp routing to send data to other locations.

should this work?

[monitor:///app/logs/work/*]
_TCP_ROUTING=Location1;Location2
index = test1
sourcetype = work
0 Karma
Reply

wagnerbianchi
Splunk Employee
Splunk Employee
‎08-13-2013 03:45 PM

Perhaps are you talking about Data Cloning?

http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Configureforwarderswithoutputs.confd#Types_...

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top