Solved: How to "add oneshot" to a cluster of indexers

jpincin · ‎01-09-2015

I want to import a large set of files, one time, into a cluster. Reading the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorfilesanddirectoriesusingtheCLI

It's not obvious to me how to specify all 20 index nodes that I want to target with the import. For monitored files, I use the outputs.conf to specify the 20 indexers and ports... I'm not sure how to replicate this with "add oneshot".

Any advice?

yannK · ‎01-09-2015

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

View solution in original post

yannK · ‎01-09-2015

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

jpincin · ‎01-09-2015

I configured the forwarder; working like a charm. Thanks!

How to "add oneshot" to a cluster of indexers

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!