Ingesting data into two indexes from one Heavy For...

splunky1 · ‎05-17-2021

I have Splunk in the below design

One HF to two sperate indexers that are not clustered.

I have UF installed on my workstation and UF is sending logs to the HF.

HF has data inputs set to all types of windows logs to an index to windows and this is going to indexer A but data not going to indexer B.

My outputs.conf in the UF is like

[tcpout]
useACK = true
maxQueueSize = auto
readTimeout = 300

[tcpout:abchf]
server = 10.20.30.40:9997
compressed = TRUE
sslRootCAPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test
sslCertPath = C:/Program Files/SplunkUniversalForwarder/etc/apps/test
sslPassword = Password
sslVerifyServerCert = true
sslCommonNameToCheck = google.com

In the indexer A I can see the data is ingested but in the indexer B I cannot see the data.

As I mentioned earlier indexer A and indexer B are not clustered indexers.

gcusello · ‎05-17-2021

Hi @splunky1,

each Heavy Forwarder (don't ask me why because I never understood this!) sends logs to only one Indexer even if it has two Indexers available: it can change the destination Indexer, but always one at a time.

If you can is more efficient to use the Heavy Forwarder as a concentrator only if you have strickly security requirements, in other words, if you can is more efficient that UFs send their logs directly to the Indexers and use HF only for syslogs.

In addition if you have only one HF you have an additional Single Point of failure

Ciao.

Giuseppe

Ingesting data into two indexes from one Heavy Forwarder

heavy forwarder

indexer

intermediate forwarder

universal forwarder

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases