Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

send data from heavy forwarder to peer index

Prakhar_shukla
Path Finder
‎03-31-2017 03:23 AM

Hello, I need to send specify log file data from HF to a specify index on peer.

bash-4.2$ more inputs.conf

[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test

bash-4.2$ more outputs.conf

[tcpout:APCHA]
server = cluser-peer.splunk.com:9997

I have already created a index in my cluser-peer.splunk.com server. index = test

After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2017 05:02 AM

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2017 05:02 AM

Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:

[tcpout-server://cluser-peer.splunk.com:9997]

At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.

If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log search connections to cluser-peer.splunk.com.

If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA row in inputs.conf.

Try to insert crcSalt = <SOURCE> in monitor stanza of inputs.conf file (and restart Splunk obviously!).

If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.

Bye.
Giuseppe

Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-02-2017 09:04 PM

thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-31-2017 02:27 PM

The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎03-31-2017 06:54 AM

Hello cusello, in search head i am getting data but it is very weird.

1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file

0 Karma
Reply
Solved! Jump to solution

3no
Communicator
‎03-31-2017 04:52 AM

Hi,
Are you sure it's cluser ? And not cluster ?

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...