Deployment Architecture

Deployment monitor question ?

sieutruc
Contributor

Hello,

I installed deployment monitor apps(DM) on the indexers, the intermediate forwarders, but they seem not to show any data.
My architecture is:

   indexer01________________________________indexer02     

       intermediate forwarder (heavy Forwarder)

UF1_1 UF1_2 ....                       UF2_1 UF2_2 .....    (UF:Universal Forwarder)

After that, i install DM on 2 indexers because i want to use search in separate indexer,and also installed DM on heavy Forwarder

The result i got is just only one result in indexer01:
1 event in index="summary_forwarders"
the others haven't any event in "summary_forwarders" index.

My indexer01 also acts as a deployment server for other Splunk instances.

Can you show me the problem i get and how to use the deployment monitoring apps in my architecture ?

Tags (1)

echalex
Builder

Hi,

I've had the same kind of issue. Basically, that intermediate forwarder won't forward data for the _internal index. You will need whitelist that.
Here is my question and solution.

In short, add this to etc/system/local/outputs.conf on your intermediate forwarder:

[tcpout]
forwardedindex.3.whitelist = _internal

Hope it helps. Let me know.
(Update: incorrectly specified inputs.conf. Real file is outputs.conf)

0 Karma

echalex
Builder

Hi,
I see you're using selective indexing. I don't know how well that mixes with the whitelist, since the whitelist can only be specified under [tcpout].

So, anything using the default routing is dropped, basically. Perhaps you should specify _INDEX_AND_FORWARD_ROUTING or _TCP_ROUTING for your internal logs?

I'm afraid you're using features I'm unfamiliar with, so I may be off the mark here.

0 Karma

sieutruc
Contributor

[tcpout]
defaultGroup = noforward
disabled=false
forwardedindex.3.whitelist = _internal

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexer01]
server=178.17.0.46:9997

[tcpout:indexer02]
server=178.17.0.47:9997

it doesn't work, even i put this option in each tcpout, i don't know where to place that option.

0 Karma

echalex
Builder

My bad! The correct file is actually outputs.conf and not inputs.conf.

It will take a while for the information to get through, since the deployment monitor is using summary indexes.
(The original answer has been corrected.)

0 Karma

sieutruc
Contributor

I did what you suggested but i only see the imtermediate forwarder in indexer, but don't see other UFs . Do i need to activate that option in UFs ? in order to see thoroughly architecture

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...