Solved: Re: How to "add oneshot" to a cluster of indexers

jpincin · ‎01-09-2015

I want to import a large set of files, one time, into a cluster. Reading the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorfilesanddirectoriesusingtheCLI

It's not obvious to me how to specify all 20 index nodes that I want to target with the import. For monitored files, I use the outputs.conf to specify the 20 indexers and ports... I'm not sure how to replicate this with "add oneshot".

Any advice?

yannK · ‎01-09-2015

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

View solution in original post

yannK · ‎01-09-2015

The recommended method is to setup a forwarder, configure the outputs,conf to loadbalance to them
then run the oneshot on the forwarder.

Otherwise, If the log are available from the indexers , you can use the oneshot on the one of the indexers and rely on the replication to later replicate the data accross the indexers.

jpincin · ‎01-09-2015

I configured the forwarder; working like a charm. Thanks!

How to "add oneshot" to a cluster of indexers

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio