Only because testing has shown that while all of the other data flows properly, splunk stream data doesn't seem to distribute.
When you configure the input from wire data you list a destination, we currently have that set to the same heavy forwarder in hopes that would result in the forwarder sending the information through the normal routing in outputs.conf. That doesn't work.
I can also point the splunk app for stream location to be one of the indexers and that also works fine.
The goal would be to configure it in the way that both you and I expect it to. So the outputs.conf drives where the data goes, and the stream forwarder just captures it to route.
These are all systems that have well functioning configurations in place other then the stream functionality. That is it gathers a whole boat load of logs and sends to distributed indexers and everything has worked amazingly well. Add stream app, enable TCP/UDP, and add in the wire data inputs. The wire data input is currently set the default which I would expect to work, then just use the underlying outputs.conf to send the data to the distributed indexer environment.
... View more