Enable cloning

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Enable cloning

With cloning enabled, a Splunk forwarder sends its data to two or more other Splunk instances.

Configure cloning in outputs.conf on the forwarding server. Set up a target group of receiving servers to which the forwarder sends all its data.

On the forwarding server, add the following to $SPLUNK_HOME/etc/system/local/outputs.conf:

[tcpout]
defaultGroup = indexer1, indexer2
heartbeatFrequency=10
maxQueueSize=10000
[tcpout:indexer1]
server=10.1.1.197:9997
[tcpout:indexer2]
server=10.1.1.200:9999

This configuration will send every event to both 10.1.1.197:9997 and 10.1.1.200:9999. Make sure you enable receiving on all the servers you are sending cloned data to.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3.4/Admin/EnableCloning"

« Set up SSL for forwarding and receiving Set up data balancing »

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Enable cloning

Enable cloning

Comments