Can I forward the same log files on the Forwarder ...

lctanlc · ‎05-28-2017

On the WEB01 and WEB02 servers, I have installed Splunk Forwarder and successfully forwarded the following log files to a APP server that was installed with Splunk Enterprise:

On WEB01 server, D:\log\application1.log
On WEB01 server, D:\log\application2.log
On WEB02 server, D:\log\application1.log
On WEB02 server, D:\log\application2.log

I am now being told to also forward these files to another ENT server, which was installed with a later version of Splunk Enterprise. May I know how should I go about doing such without impacting the original forwarding to the APP server?

gjanders · ‎05-30-2017

aakwah's answer is valid, I'm just providing some official links.

Data Cloning in the splexicon and/or also refer to the configure data cloning section of outputs.conf

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

aakwah · ‎05-29-2017

Hello,

In outputs.conf of forwarders, you can have something like this:

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

Regards

lctanlc · ‎05-29-2017

Hi! Will I need to restart anything for the modified outputs.conf file to take effect on the forwarders? How do I go about restarting it?

ggssa2000 · ‎05-29-2017

go to the cmd line and type: $SPLUNK_HOME/bin/splunk restart

Can I forward the same log files on the Forwarder to two different Splunk Enterprise?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?