UF sending data in LB fashion

nikhilmehra79 · ‎05-22-2014

I have following config in my output.conf

[tcpout]
defaultGroup = productionSplunk1, productionSplunk2

[tcpout:productionSplunk1]
server = X.X.X.X:9997

[tcpout:productionSplunk2]

server = Y.Y.Y.Y:9997

I have search head and 2 indexers (x.x.x.x) and (y.y.y.y), when i now look in search head i am gettign double events , eg say UF send 2 events, i am getting 4 at search head - 2 from each of above indexers.

I expected the UF to send data to me in LB fashioned. Which is what it is not doing, any idea what is bad with my config

HiroshiSatoh · ‎05-22-2014

It is my config file. 1 minute at intervals will then load balance.

my output.conf
[tcpout]
defaultGroup = LB_indexers

[tcpout:LB_indexers]
disabled = false
autoLBFrequency = 60
server = x.x.x.x:9997,y.y.y.y:9997

HiroshiSatoh · ‎05-22-2014

I was referring to this URL.

http://docs.splunk.com/Documentation/Splunk/5.0.5/Deploy/Configureforwarderswithoutputs.confd

I think whether this serves as a reference.

http://blogs.splunk.com/2014/03/18/time-based-load-balancing/

nikhilmehra79 · ‎05-22-2014

Do you really need?

[tcpout] defaultGroup = LB_indexers

nikhilmehra79 · ‎05-22-2014

i am trying now this - does this look fine?
[tcpout:my_LB_indexers]
server=X.X.X.X:9997,Y.Y.Y.Y:9997

nikhilmehra79 · ‎05-22-2014

Thanks , qq - what is significance of 1 minute - does it tell UF to send data 1 minute apart ?

UF sending data in LB fashion

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!