in the outputs.conf file there is a place to send logs to multiple indexers
[tcpout:my_indexers]
server = xxx.xxx.xxx.xxx:9999, yyy.yyy.yyy.yyy:9999, zzz.zzz.zzz.zzz:9999
As I understand it this will send 1/3 of the logs to each indexer
I would like to setup an outputs.conf that will send all the logs to different indexers. One for one group of analysts and another for the second group of analysts.
We can not share the indexers on a distributed search from the searchhead.
Thanks for any help you can give
Here's how you set up data cloning with just outputs.conf:
[tcpout]
defaultGroup = group1,group2,group3
[tcpout:group1]
server = 1.2.3.4:9997
[tcpout:group2]
server = 1.2.3.5:9997
[tcpout:group3]
server = 1.2.3.6:9997
Here's how you set up data cloning with just outputs.conf:
[tcpout]
defaultGroup = group1,group2,group3
[tcpout:group1]
server = 1.2.3.4:9997
[tcpout:group2]
server = 1.2.3.5:9997
[tcpout:group3]
server = 1.2.3.6:9997
Give this a try
props.conf in $SPLUNK_HOME/etc/system/local
[default]
TRANSFORMS-routing = multiRouting
transforms.conf in $SPLUNK_HOME/etc/system/local
[multiRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = FirstIndexer,SecondIndexer,ThirdIndexer
outputs.conf in $SPLUNK_HOME/etc/system/local
[tcpout:FirstIndexer]
disabled = false
server = xxx.xxx.xxx.xxx:9999
[tcpout:SecondIndexer]
disabled = false
server = yyy.yyy.yyy.yyy:9999
[tcpout:ThirdIndexer]
disabled = false
server = zzz.zzz.zzz.zzz:9999
Restart will be needed.
Thanks for your help
It might work without props.conf and transforms.conf changes. In my case I explicitly specified that everything should get routed to all three indexers. Let me know if it works just with outputs.conf.
thanks this helps.
If you don't mind, Why do I need the props.conf and transforms.conf
Wont this work with just the outputs.conf entries?