I am forwarding data of one log file from 1 Heavy Forwarder to 2 Indexers. But the heavy forwarder is sending data only to Indexer2.
**- I confirmed it by running query on my searchhead and checking value in field "splunk_server". It was showing just one indexer , i.e Indexer2.**
**OUTPUTS.CONF**
[indexAndForward]
index = false
[tcpout]
defaultGroup = grp
forwardedindex.filter.disable = true
[tcpout:grp]
disabled = 0
# server = 00.000.0.00:9997,00.000.0.00:9997
server = Indexer1:9997,Indexer2.synaptics.com:9997
useACK=true
forceTimebasedAutoLB = true
**INPUTS.CONF**
[monitor:///var/log/Folder1/Folder2]
host_segment=5
index=SomeIndex
sourcetype=SomeSourcetype
disabled=0
**PROPS.CONF**
[SomeSourcetype]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
TRANSFORMS = syslog-host
category = Operating System
description = Somedescription
disabled = false
maxDist = 3
pulldown_type = true
Output of Command - ./splunk list forward-server
Active forwards:
Indexer1:9997
Indexer2.synaptics.com:9997
Configured but inactive forwards:
None
I am able to ping to both indexers. Packets are being sent. I checked it through linux command "tcpdump dst indexer1" .
**Please help.**
↧