Our network has 4 "zones". In general, servers in each zone can only talk to other servers in the same zone as them. As such, we have a Splunk indexer in each zone, which should be receiving input from all the forwarders in it's zone. All forwarders are how ever able to talk to a single Deployment Server. At present, I am pushing (via the Deployment Server) a different outputs.conf file to the forwarders in each zone, directing them to send their data to the zone-specific indexer. I'd like to simplify this by pushing only one outputs.conf, which would include all 4 indexers in it, and allow the forwarder to make the decision on which to use based on which one it can reach.
I believe I can do this easily by configuring all 4 indexers in an outputs.conf file and allowing the forwarder to replicate data among all 4. Obviously, only one indexer will ever actually receive the data. I'm concerned that this however will produce a bunch of unneeded network traffic, firewall log events, and Splunk errors as the forwarder keeps retrying indexers it cannot reach. Is there a better way to achieve this goal?
... View more