Hello,
I installed deployment monitor apps(DM) on the indexers, the intermediate forwarders, but they seem not to show any data.
My architecture is:
indexer01________________________________indexer02
intermediate forwarder (heavy Forwarder)
UF1_1 UF1_2 .... UF2_1 UF2_2 ..... (UF:Universal Forwarder)
After that, i install DM on 2 indexers because i want to use search in separate indexer,and also installed DM on heavy Forwarder
The result i got is just only one result in indexer01:
1 event in index="summary_forwarders"
the others haven't any event in "summary_forwarders" index.
My indexer01 also acts as a deployment server for other Splunk instances.
Can you show me the problem i get and how to use the deployment monitoring apps in my architecture ?
Hi,
I've had the same kind of issue. Basically, that intermediate forwarder won't forward data for the _internal index
. You will need whitelist that.
Here is my question and solution.
In short, add this to etc/system/local/outputs.conf
on your intermediate forwarder:
[tcpout]
forwardedindex.3.whitelist = _internal
Hope it helps. Let me know.
(Update: incorrectly specified inputs.conf. Real file is outputs.conf)
Hi,
I see you're using selective indexing. I don't know how well that mixes with the whitelist, since the whitelist can only be specified under [tcpout]
.
So, anything using the default routing is dropped, basically. Perhaps you should specify _INDEX_AND_FORWARD_ROUTING
or _TCP_ROUTING
for your internal logs?
I'm afraid you're using features I'm unfamiliar with, so I may be off the mark here.
[tcpout]
defaultGroup = noforward
disabled=false
forwardedindex.3.whitelist = _internal
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:indexer01]
server=178.17.0.46:9997
[tcpout:indexer02]
server=178.17.0.47:9997
it doesn't work, even i put this option in each tcpout, i don't know where to place that option.
My bad! The correct file is actually outputs.conf and not inputs.conf.
It will take a while for the information to get through, since the deployment monitor is using summary indexes.
(The original answer has been corrected.)
I did what you suggested but i only see the imtermediate forwarder in indexer, but don't see other UFs . Do i need to activate that option in UFs ? in order to see thoroughly architecture