I have one heavy forwarder and two different cloud indexers.
Both are the part for different cluster. Is it possible to send the data from the HF to both the cloud indexers at the same time.
What will be the steps?
You can create 2 different output groups in outputs.conf
but there are some important considerations/downsides, including:
1: You will take a license hit twice on this data.
2: Test the configurations for back-pressure problems. Depending on the version of Splunk and the settings that are in place, a blockage of one indexer tier can effect transmission of data to the unblocked indexer tier.
HI,
sure you can send data to both indexer.
Splunk automatically load balance incoming data to indexer you specify in outputs.conf
Like this
[tcpout: my_LB_indexers]
server=10.10.10.1:9997,10.10.10.2:9997
OR
if you want to clone the data like this:
[tcpout]
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server=10.1.1.197:9997
[tcpout:indexer2]
server=10.1.1.200:9997
docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf#Configure_data_cloning_on_a_universal_forwarder_with_outputs.conf
It should be work as per the above steps as posted by dKeck. If still not working then please share the output.conf settings.
both the indexers are in different cloud and they are part of totally different cluster and environment.
@vin02ptl - Do you want same data to go to both indexers?
If that's the case I don't think this approach would work.
Sure just have a look at the docs about cloning.
Thanks for your reply.......yes I want same data to go to both the indexers.
Just test the config for cloning I posted. Its working
If you HF can send to both indexer via recieving port 9997 I don´t see why this should not work.
You can also set up your HF to be a gateway forwarder for other UF´s
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/Data/Forwarddata