Getting Data In

How to "add oneshot" to a cluster of indexers

jpincin
Engager

I want to import a large set of files, one time, into a cluster. Reading the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorfilesanddirectoriesusingtheCLI

It's not obvious to me how to specify all 20 index nodes that I want to target with the import. For monitored files, I use the outputs.conf to specify the 20 indexers and ports... I'm not sure how to replicate this with "add oneshot".

Any advice?

1 Solution

yannK
Splunk Employee
Splunk Employee

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

View solution in original post

yannK
Splunk Employee
Splunk Employee

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

jpincin
Engager

I configured the forwarder; working like a charm. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...