- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can i tcpout to multiple servers with output.c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 indexers).
I am deploying the 'sendtoindexer' app from my deployment server and as part of that i need to configure the following in the outputs.conf file for the app.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<port>
[tcpout-server://<indexer_hostname_or_ip_address>:<port>]
WIll this format work? I want to send data to both of my indexers as they are clustered. Or will that create duplicate data once they start replicating?
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.1.4.32:9997,10.1.4.33:9997
[tcpout-server://10.1.4.32:9997,10.1.4.33:9997]
I have setup receiving on the indexers already so its just the format i need to enable the forwarder(s) to send the information correctly. I am also running without a licence at the moment, we plan to purchase Enterprise this month. Would that disable any features for this type of setup?
Thanks in advance,
Jay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was told to change my outputs.conf file to this:
[tcpout]
defaultGroup = My_Cluster_1
[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997
I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was told to change my outputs.conf file to this:
[tcpout]
defaultGroup = My_Cluster_1
[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997
I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can configure load balance between indexer like this
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996
[tcpout-server://mysplunk_indexer1:9997]
[tcpout-server://mysplunk_indexer2:9997]
MOre details here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks very much.
I have have separated my indexers out with the format you suggested. Not sure if this is working yet as i am still going through the set-up, ill let you know how i get on.
Cheers,
Jay
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
