Advanced Configurations
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Advanced Configurations
Store and Forward
To configure a Splunk Server so that it both indexes data from its inputs locally and forwards the data on to another server, simply add a server to be forwarded to. The command to do this is "splunk add forward-server <ip:port>", as in "splunk add forward-server 10.1.1.147:9997". This will continue to index locally, as long as local indexing is enabled in Splunk's settings. This can be checked with "splunk display local-index -auth admin:<password>".
The "add forward-server" command will edit the files $SPLUNK_HOME/etc/modules/output/TCP/config.xml, $SPLUNK_HOME/etc/bundles/local/props.conf, and $SPLUNK_HOME/etc/bundles/local/regexes.conf. The latter two will only be modified when you add your very first forward server, or remove your very last forward server. The former is modified everytime you add or remove a server.
Redundant Forking
To configure a Splunk Server so that it forwards data to three different servers for redundancy, you can run the above command three times. First, disable local indexing if you wish ("splunk disable local-index"). Then add the servers as necessary. For example, "splunk add forward-server 10.1.1.147:9997", "splunk add forward-server 10.1.1.148:9997", and "splunk add forward-server 10.1.1.149:9997".
The local indexing command will modify $SPLUNK_HOME/etc/myinstall/splunkd.xml, and the "add forward-server" commands will edit the same files as listed above.
Conditional Routing
To configure a Splunk Server to forward some events but not others, or to forward different events to different servers, see the Conditional Routing Example for a real-world example.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.