Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to have one Splunk Windows forwarder communicate with two separate Splunk environments?

ajdyer2000
Path Finder
‎11-14-2018 02:32 PM

Hi,

I was wondering if it is possible to have one Splunk Windows forwarder on a workstation communicate with 2 separate Splunk environments.

The MSI installer file is:

msiexec.exe /i "C:\temp\splunkforwarder-7.1.2-a0c72a66db66-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="SplunkServer-1:59443" SERVICESTARTTYPE=auto SET_ADMIN_USER=0 /l* C:\temp\splunkuflog.log /quiet

Would like to add SplunkServer-2

deploymentclient.conf

[target-broker:deploymentServer]
targetUri = SplunkServer-1:59443

0 Karma
Reply

DavidHourani
Super Champion
‎11-14-2018 03:06 PM

Hi there,

You can't connect one deployment client to two deployment servers simultaneously. Only one. For HA you will need to use DNS.

Also please be aware that using the following command writes deploymentclient.conf into splunkforwarder/etc/system/local, which means it will always be the one that is going to be used and will overwrite any configuration you try to send via DS:

msiexec.exe /i "C:\temp\splunkforwarder-7.1.2-a0c72a66db66-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="SplunkServer-1:59443" SERVICESTARTTYPE=auto SET_ADMIN_USER=0 /l* C:\temp\splunkuflog.log /quiet

For that reason please avoid using this option "DEPLOYMENT_SERVER="SplunkServer-1:59443" and simply create an application under splunkforwarder/etc/apps/ that contains the deploymentclient.conf file. That will allow you to modify this configuration for all your forwarders from the deployment server. If configuration remains in system/local you will not be able to modify that without manually logging into all your forwarders.

Cheers,
David

0 Karma
Reply

ajdyer2000
Path Finder
‎11-15-2018 06:40 AM

Hi David,

I probably was asking the question wrong.
I want to send event data to 2 separate Splunk deployments. 1 deployment server

Thanks
Alan

0 Karma
Reply

DavidHourani
Super Champion
‎11-15-2018 10:14 AM

Ah, that's simple ^^ have a look here :
https://answers.splunk.com/answers/98922/how-to-send-same-data-to-multiple-separate-splunk-instances...
You should have an output.conf like this : 

[tcpout]
defaultGroup=indexerGroup1,indexerGroup2

[tcpout:indexerGroup1]
server=10.1.1.197:9997,10.1.1.198:9997

[tcpout:indexerGroup2]
server=10.1.1.200:9997,10.1.1.201:9997

That will duplicate data to both groups.
Cheers,
David

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎11-14-2018 02:59 PM

To clarify, do you want to use 2 deployment servers for your client? If so, the deployment servers must be kept exactly the same, in terms of apps and configuration. Then you would need to place these behind a CNAME or common DNS entry that resolves to both of your dpeloyment servers, and configure your client to communicate with this. In addition, you will need to set crossServerChecksum = true in both serverclass.conf

What is your use-case for needing this?

Or are you looking to send event data to 2 separate Splunk deployments? That is a different questions all together

0 Karma
Reply

ajdyer2000
Path Finder
‎11-15-2018 06:39 AM

Thanks sduff,

I want to send event data to 2 separate Splunk deployments.

Thanks
Alan

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...