Deployment Architecture

change indexer - point forwarder to another index server.

nurtdi
Path Finder

Hi,
I have one index server "A" and another one "B".
For a while I had few forwarders to send data to "A" (each forwarder data to specific index).
Now, I need to point one of the forwarders (let's call it "C") to "B".
I have added an index of "C" to "B" (same as on "A"), changed "C"'s outputs.conf to send data to "B", restarted both B and C...
I see connection from C to B, but no data is being sent.
To add some complexity - using SSL, so the data is encrypted and compressed.
I cannot find any traces of the problem in the logs, even in debug mode.
If you had been there - Your help is greatly appreciated!

Thank you, ildus

Tags (3)
1 Solution

nurtdi
Path Finder

Well, it is embarrassing to admit... I had a small typo in inputs.conf

View solution in original post

0 Karma

nurtdi
Path Finder

thank you for your help! I still did not get it to work, but I know it is SSL Certs issue now. My typo was in inputs.conf on server B and I simply overlooked an error 'Can't read certificate file'...

0 Karma

nurtdi
Path Finder

Well, it is embarrassing to admit... I had a small typo in inputs.conf

0 Karma

bwooden
Splunk Employee
Splunk Employee

If you don't see anything in the logs - it may be worth verifying the new index is available as a 'selected index' for the admin role (via the Manager).

0 Karma

nurtdi
Path Finder

The roles are not defined yet, all done under admin role.
I have generated the SSL certs and keys (really good answer on SSL setup is here: http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...), no errors connecting forwarder to index server (although I suspect the problem might be here somewhere).
thank you, ildus

0 Karma

bwooden
Splunk Employee
Splunk Employee

When you created index "C" to indexer "B" did you also update the roles so that they searched index "C" by default?

Are you using the Splunk default certs for SSL or custom?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...