Getting Data In

Why is my forwarding configuration not forwarding data?

antifreke
Path Finder

Good afternoon, working on setting up the final piece of Splunk infrastructure and I have come across a little speed bump. The design is simple, Single Search Head, Dual Indexers, Syslog server (RH). I have data moving from the Syslog server to both indexers, but not from the indexers to the Search Head. My outputs on the indexer are as follows:

[tcpout]
defaultGroup = my_searchhead
indexAndForward = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = network1
forwardedindex.2.whitelist = guestnetwork
forwardedindex.3.whitelist = network2
forwardedindex.filter.disabled = true

[tcpout:my_searchhead]
server = x.x.x.x:9998

Search head Inputs has the following:

[splunktcp://9998]

Do I need to tweak anything else? Am I missing something really simple and over complicating it?

0 Karma
1 Solution

lguinn2
Legend

You do not send events from your indexers to your search head! You do not need any outputs.conf on the indexers!

Instead, you need to tell the search head where to search. You can do this in the GUI by setting up Distributed Search, or by creating/editing distsearch.conf on your search head. Here is the documentation for adding search peers to the search head.

View solution in original post

lguinn2
Legend

You do not send events from your indexers to your search head! You do not need any outputs.conf on the indexers!

Instead, you need to tell the search head where to search. You can do this in the GUI by setting up Distributed Search, or by creating/editing distsearch.conf on your search head. Here is the documentation for adding search peers to the search head.

antifreke
Path Finder

So, should I return the outputs.conf files in the indexers back to their default?

I have the distributed search setup on the Search Head. I think I was looking at this architecture completely wrong and misunderstanding the data flow.

I looked at my searc head and did a query for index=network and it works. I was looking at this entire thing backwards. Thank you!!

0 Karma

lguinn2
Legend

You can return the outputs.conf on the indexers back to what it was before - but usually, the indexers don't need outputs.conf at all...

0 Karma

jmaple
Communicator

This configuration implies you are trying to index your events on your search head as well as your indexer. This is not how Splunk is intended to be used and I'm sure that's not what you intended either.

To search the data indexed on your indexers, simply make your indexers search peers of your search head using distsearch.conf

https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Distsearchconf

0 Karma

jmaple
Communicator

This configuration implies that you are indexing events on your search head. Is that your intention?

0 Karma

suarezry
Builder

Typically, you configure your search head to forward searches to the indexers. You do not actually forward the data from the indexers to the search head.

0 Karma

antifreke
Path Finder

So the data stays on the indexers, and the search head performs searches from there to the indexers?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...