Build in a development environment

ccsfdave · ‎06-19-2013

Greetings,

There must be some cookbook out there but I can't seem to find it. I have a 3 VM environment of a forwarder, indexer, and search head. I would like to create another VM for development. Can someone give me a general step by step of how to set up the 4th VM to act as a development environment doing its own indexing and searching of the logs collected by the forwarder?

Thanks for the help.

Dave

chris · ‎06-19-2013

On your forwarder you will have to configure your outputs to clone the events

outputs.conf

[tcpout]
defaultGroup = indexer_vm, dev_vm


[tcpout:indexer_vm]
server=Y.Y.Y.Y:9997

[tcpout:dev_vm]
server=X.X.X.X:9997

On your 4th VM just install Splunk and set it up like the indexer so it will listen on tcp:9997 you don't need to set up distributed searching because everything is done on one server. You might have to set the license server if you have that configured.

If you need more information let me know.

chris · ‎06-21-2013

Hi I updated the answer. If you deploy the outputs.conf to your forwarder from the search head then thats where you have to make the change.

ccsfdave · ‎06-20-2013

Chris,

What do I do about this:

[tcpout]
defaultGroup = primary_indexers

BTW, this is on my search head which is the deployment server. Is that where I should add the above:

[tcpout]
defaultGroup = primary_indexers

Thanks,

Dave

Build in a development environment

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life