Hi,
I have a Splunk forwarder sending data to my prod box and i see a need to build a new dev server for testing/researching, i have a quick question,
My output.conf on Universal Forwarder looks like:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 198.11.16.1:9997
[tcpout-server://198.11.16.1:9997]
Which has Ip of my first Splunk Server, can i add another Server here and if yes how will it look ?
Is this the only file i need to edit and restart splunk forwarder to be done?
Nikhil,
What you are attempting to do is called "Data Cloning". For this type of situation you will need 2 target groups, and then specify each indexer in that target group. Look at Data Cloning in the Documentation here.
Also, while nice I would actually rename the target groups to your liking. Such as,
[tcpout]
defaultGroup = productionSplunk, developmentSplunk
[tcpout:productionSplunk]
server = 198.11.16.1:9997
[tcpout:developmentSplunk]
server = 198.11.16.X:9997
As always, tcpout-server is optional. Read the documentation link for more information.
I tried this but it stopped prod stream too...
any error you see or do i need to do anything on indexer too...?
[tcpout]
defaultGroup = productionSplunk, developmentSplunk
[tcpout:productionSplunk]
server = 198.11.16.1:9997
[tcpout:developmentSplunk]
server = 198.11.16.2:9997
another quickie....[tcpout] is the [] refers to comment...
Because the name is arbitrary to begin with it should be trivial to make the change.
As far as licensing is concerned data cloning is usually covered under an HA license. I have asked a few Splunkers about dev/test and don't have an answer for you. Probably best to contact your Sales rep or Splunk Certified Partner to shore that up.
Thanks make sense, if i rename defaultGroup = productionSplunk, to defaultGroup = productionSplunk. it should no have any effect on already live production instance right? and also do we use two time the licenses if we use data cloning (as these are sepearet instances) and i dont want a dev server to be part of production cluster.