**Environment:**
2x heavy forwarders (6.4.1) in a load balanced pool (sitting behind haproxy) and using indexer_discovery
1x cluster master, 3x indexer peers
2x search heads
**Question:**
I am receiving data in a specific clustered index when using a universal forwarder's inputs.conf:
[monitor:///opt/splunk/etc/system/local/]
disabled = 0
index=clustered_index
outputs.conf:
[tcpout]
defaultGroup = default-autolb-group-g0
[tcpout:default-autolb-group-g0]
server = 10.10.10.10:9997
[tcpout-server://10.10.10.10:9997]
So that's fine and I can search the data.
What I want to do, is as I have multiple receive ports on the HF's, I would like to just send everything received on port 9997, 5220 etc. to a specific index on the back-end cluster - And this is from sources that do not have universal forwarders.
Am I able to just send all data from heavy forwarders to an index on a cluster that is not defaultdb/main?
I have tried setting inputs.conf on the HF's to:
[monitor://9997]
disabled = 0
index=clustered_index
but I do not seem to be seeing the traffic?
Thanks in advance!
Bry
↧