Reporting

how to forward same data to two different indexers, with the following data flow, universal forwarder to heavyforwarder to indexers

pranil
New Member

before my question i want you to show my data-flow. the data-flow is like universal forwarder to heavy-forwarder and later to indexers. so, my question is, i am here trying to send same data to two different indexers using UFs through heavy forwarder to indexers. so is there any possible solution for this. i know we can send data or logs directly to indexers using UF but in my case i was only looking to forward data with heavy-forwarder ?
UF---> HF---> (indexerA, indexerB)

Tags (1)
0 Karma

FrankVl
Ultra Champion

On your HFs: define multiple target groups in outputs.conf, one for each (set of) indexer(s), and then assign both target groups to the defaultGroup. The HF will then clone the data to both destinations.

Example here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf#...

[tcpout]
defaultGroup=indexer1,indexer2

[tcpout:indexer1]
server=10.1.1.197:9997

[tcpout:indexer2]
server=10.1.1.200:9997

Even though that mentions Universal Forwarder, it would look the same on a HF and since in your case it is the HFs connecting to the indexers, that is where you need to put the cloning config.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...